10341000x8000000000000000342480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.984{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.984{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.984{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.983{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.983{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.983{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 354300x8000000000000000342474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.139{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50217-false52.73.161.63ec2-52-73-161-63.compute-1.amazonaws.com443https 354300x8000000000000000342473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.139{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58322- 354300x8000000000000000342472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.137{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64741- 354300x8000000000000000342471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.136{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50215-false69.192.209.51a69-192-209-51.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.132{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60140- 354300x8000000000000000342469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.130{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50214-false23.48.205.83a23-48-205-83.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.107{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50212-false69.192.209.51a69-192-209-51.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.103{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50210-false23.48.205.83a23-48-205-83.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.100{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50213-false52.73.161.63ec2-52-73-161-63.compute-1.amazonaws.com443https 354300x8000000000000000342465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.099{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50211-false23.48.205.83a23-48-205-83.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.090{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63192- 354300x8000000000000000342463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.089{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64325- 354300x8000000000000000342462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.088{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55831- 354300x8000000000000000342461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.085{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61647- 354300x8000000000000000342460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.084{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56592- 354300x8000000000000000342459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.083{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56305- 354300x8000000000000000342458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.977{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50209-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000342457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.889{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FA4C79BF08AF9046AAE8AA15160E31,SHA256=8E69FBABBF6F741B05423F57E23E90F107B6B3A90440A2FF5375F82765B9E0AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.878{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.878{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.878{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.878{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.878{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.878{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000342450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.796{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000342449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.796{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000342448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.795{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000342447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.794{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 23542300x8000000000000000342446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.785{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\indexMD5=DF5B253A35AB153D699566D354497BD8,SHA256=2BBF5C3631BB46CAFEB969F3E6C25FEC2CEF06D52EF3EFD68AE098F311B97DAD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000342445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.775{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000342444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.774{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000342443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.773{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000342442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.773{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000342441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.762{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000342440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.762{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000342439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.761{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000342438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.761{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000342437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.761{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000342436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.761{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000342435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.760{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000342434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.760{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000342433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.760{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000342432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.760{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000342431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.759{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000342430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.759{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000342429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.759{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000342428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.759{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000342427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.759{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000342426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.759{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000342425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.758{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000342424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.758{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000342423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.758{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000342422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.757{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000342421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.757{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000342420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.757{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000342419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.757{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000342418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.756{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000342417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.756{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000342416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.756{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.756{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000342414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.755{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000342413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.754{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 23542300x8000000000000000342412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.754{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56223ACF66F4E2D8D0AD6F2BD345074,SHA256=CDEC9DBAAA346DD899900890040AD84AC90FD85AE3D840C7F9C09066C186AE9D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000342411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.753{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000342410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.752{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000342409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.751{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000342408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.748{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.745{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000342406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.743{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000342405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.741{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.738{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000342403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.736{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.736{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.736{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.735{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.735{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.734{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.734{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000342396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.684{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61637- 354300x8000000000000000342395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.684{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60915- 23542300x8000000000000000342394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.720{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.tutorialspoint.com\ls\data.sqlite-journalMD5=7BD846687A299E1AE83C2F4A27AE9262,SHA256=FEC933A3B73800E7CD36683FAAAE7EFD0534065B236890D116C6985047C53C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000342393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.709{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.tutorialspoint.com\ls\data.sqlite-journalMD5=33D4D8A815DCE0C2199C431E68B18AA5,SHA256=E46AEE76B266CC17F7C33A61237F1B948B2F6BFAA7CE6BE5031F8DAAD361566E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000342392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.696{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mfperfhelper.dll10.0.14393.0 (rs1_release.160715-1616)MFPerf DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfperfhelper.dllMD5=DAD53152E620AB1D256F531CCDDF4C96,SHA256=577A697C088A319A9839989E18548F46121E661D56C701DE0360905E814BC12D,IMPHASH=A00BC62B03D75EE2D584A9E7EFBA79A6trueMicrosoft WindowsValid 23542300x8000000000000000342391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.696{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.tutorialspoint.com\ls\data.sqlite-journalMD5=BB273CCDFD0003EBEA87883C13BD96E7,SHA256=52671A03B8796CC18E46C6D688C951B7C59DE2314EE47924B1FDDBBAF63A9C32,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000342390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.693{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\MSAudDecMFT.dll10.0.14393.206 (rs1_release.160915-0644)Media Foundation Audio DecodersMicrosoft® Windows® Operating SystemMicrosoft CorporationMSAudDecMFT.dllMD5=899A520E5B6B8631DF6863BBD33A4264,SHA256=2A23CAF4CC2D11A20574EDE1755D03F4FF1ECDCE3D626A69D85CFE46703BC97D,IMPHASH=564825227B20C446A4E5874DD1BAF1FAtrueMicrosoft WindowsValid 734700x8000000000000000342389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.691{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msdmo.dll10.0.14393.0 (rs1_release.160715-1616)DMO RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdmo.dllMD5=3246C9C5ECF6555103C7119161ACC8C8,SHA256=3A29292F04B09A91C305062E00756194A83BDEA3ABB1BFB783D908E6D1BEBFBC,IMPHASH=B5AB2AA782AD334C5633AAE30A2CFF41trueMicrosoft WindowsValid 734700x8000000000000000342388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.691{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\MP3DMOD.DLL10.0.14393.0 (rs1_release.160715-1616)Microsoft MP3 Decoder DMOMicrosoft® Windows® Operating SystemMicrosoft Corporationmp3dmod.dllMD5=A9B35CD3C0A14AE1B9DAA8E4114B8E49,SHA256=25142AF94A5C151055C5DAAB89D183F923CE47EE61D8D3B38DE2BC833FC16E18,IMPHASH=33FA1A40805F452D7ED8E842BB1DA59BtrueMicrosoft WindowsValid 18141800x8000000000000000342387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:24.691{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.16300775278136278029C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000342386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:24.691{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.16300775278136278029C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000342385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.686{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.tutorialspoint.com\ls\data.sqlite-journalMD5=244C10DE408795F0C61B671692B9B54B,SHA256=80467C2BD5B404EF74ED945744942028F98E04178B5B4104486D9327DF592B7C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000342384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.673{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000342383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.668{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\evr.dll10.0.14393.2515 (rs1_release_1.180830-1044)Enhanced Video Renderer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationevr.dllMD5=4F00E99C3E92226B072C0E80D52A82F4,SHA256=7788212BD473C69B3C8F6705A7470BE783BE0244BC289334EFA579AAD2C9A91C,IMPHASH=C44CF843A574B60FED1B4D29827EBA14trueMicrosoft WindowsValid 734700x8000000000000000342382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.664{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dxva2.dll10.0.14393.0 (rs1_release.160715-1616)DirectX Video Acceleration 2.0 DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdxva2.dllMD5=DE24CAC5A0B3CE1AD8057FE258712365,SHA256=5CA1E7FBA01D92AA3F933A00E495460DC5DB38DAD2CAD370782474F50F9C964E,IMPHASH=338B9EB254A5341CE890B2511DF3DFAEtrueMicrosoft WindowsValid 734700x8000000000000000342381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.663{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mf.dll10.0.14393.5006 (rs1_release.220301-1704)Media Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmf.dllMD5=B3125628D278292F8EB16B1DC0B7DDAF,SHA256=6BF3676FC778B95462F080EA33815AB5FCCC0EA2DE4EB086FCE786E2E1FD2662,IMPHASH=224763A9487AA02E14432742CBC2F08EtrueMicrosoft WindowsValid 734700x8000000000000000342380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.661{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\RTWorkQ.dll10.0.14393.479 (rs1_release.161110-2025)Realtime WorkQueue DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationRTWorkQ.dllMD5=1EABA23A7305A232C9A16C14806ED091,SHA256=3AD1A84A56EE0DA68B40D40770787FEED3DCF4A74BE172F01BD837FD680396E6,IMPHASH=41E263D9EB0100A59E34B18CF8F6F725trueMicrosoft WindowsValid 734700x8000000000000000342379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.659{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mfplat.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Platform DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfplat.dllMD5=6B3DD2386B60D0003B3A0A1AE706A9C5,SHA256=2DF94FA3C88D5D8AB5A981C0182263B5D8161CE0F96687D2DF7892EB4F25104C,IMPHASH=4B0B41F559164385A004BCC689586F63trueMicrosoft WindowsValid 734700x8000000000000000342378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.658{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozavutil.dll104.0.2-FirefoxMozilla Foundationmozavutil.dllMD5=93209E2F0966FD267CCA5D52ED209298,SHA256=1B62422C2A6AF6AF87C781291CCE8D5AB31821F77BC1791E43F7A0CF4161B82C,IMPHASH=11BB9E641A35A22B0C79747CAD934F04trueMozilla CorporationValid 734700x8000000000000000342377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.657{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozavcodec.dll104.0.2-FirefoxMozilla Foundationmozavcodec.dllMD5=EF512B58F9F81486D14C33A60FCCF6EF,SHA256=DCCC26865E7C4842AC289219E0026654E454C3C1966ABB08D0DE6C25C046EAA9,IMPHASH=3FF103720EF814BD7CF637C6C5C071CFtrueMozilla CorporationValid 734700x8000000000000000342376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.656{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000342375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.656{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000342374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.651{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000342373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.649{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.647{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000342371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.644{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000342370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.642{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000342369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.641{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000342368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:24.641{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.27.209039791C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000342367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.632{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000342366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:24.631{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.623{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000342364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.622{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000342363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.622{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000342362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.622{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=B69F0419A16A616FE2D779EC98CD7FB9,SHA256=2D10B43F2137433E48A009227487C691E312D186691485D33B4FDF90D8423C9D,IMPHASH=E32C7474360C94A9FE5E17141A4AB35FtrueMicrosoft WindowsValid 734700x8000000000000000342361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.615{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000342360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.615{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000342359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.615{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000342358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.614{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000342357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.613{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000342356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.613{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000342355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.611{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ResourcePolicyClient.dll10.0.14393.3808 (rs1_release.200707-2105)Resource Policy ClientMicrosoft® Windows® Operating SystemMicrosoft CorporationResourcePolicyClient.dllMD5=8FD5FEFE4E020BBC2D95F07BCDC84F71,SHA256=E5E351822CCDEBF81C47C4CA1D5C158E2880C1BD29CA024D163FD9316F3046AE,IMPHASH=E494F732179E765F2CE18BC21CDB1948trueMicrosoft WindowsValid 734700x8000000000000000342354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.609{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000342353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.609{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dxgi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=3925E01E00CC6FF3435E0657E78562D0,SHA256=843F42CE8D28816A990ADB0B9393592703F8CE5A4008E5F5513815A2886F973F,IMPHASH=83736A76214A92F5C1B53248D0C22863trueMicrosoft WindowsValid 734700x8000000000000000342352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.609{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000342351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.608{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000342350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.607{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\d3d11.dll10.0.14393.5006 (rs1_release.220301-1704)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=C9DBBC2C3A27BB195586C3BC3CDBC198,SHA256=005F60E22A386DB12FA086D7E83DE521B00F69B073D1859E4E13C3F745690638,IMPHASH=460DAE5CA92CB705C37D78BE630D6120trueMicrosoft WindowsValid 734700x8000000000000000342349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.607{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000342348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.605{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\MSAudDecMFT.dll10.0.14393.206 (rs1_release.160915-0644)Media Foundation Audio DecodersMicrosoft® Windows® Operating SystemMicrosoft CorporationMSAudDecMFT.dllMD5=899A520E5B6B8631DF6863BBD33A4264,SHA256=2A23CAF4CC2D11A20574EDE1755D03F4FF1ECDCE3D626A69D85CFE46703BC97D,IMPHASH=564825227B20C446A4E5874DD1BAF1FAtrueMicrosoft WindowsValid 734700x8000000000000000342347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.605{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000342346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.604{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000342345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.604{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msdmo.dll10.0.14393.0 (rs1_release.160715-1616)DMO RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationmsdmo.dllMD5=3246C9C5ECF6555103C7119161ACC8C8,SHA256=3A29292F04B09A91C305062E00756194A83BDEA3ABB1BFB783D908E6D1BEBFBC,IMPHASH=B5AB2AA782AD334C5633AAE30A2CFF41trueMicrosoft WindowsValid 734700x8000000000000000342344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.603{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000342343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.602{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.602{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000342341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.602{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\MP3DMOD.DLL10.0.14393.0 (rs1_release.160715-1616)Microsoft MP3 Decoder DMOMicrosoft® Windows® Operating SystemMicrosoft Corporationmp3dmod.dllMD5=A9B35CD3C0A14AE1B9DAA8E4114B8E49,SHA256=25142AF94A5C151055C5DAAB89D183F923CE47EE61D8D3B38DE2BC833FC16E18,IMPHASH=33FA1A40805F452D7ED8E842BB1DA59BtrueMicrosoft WindowsValid 23542300x8000000000000000342340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.601{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\17385MD5=3DC9BC9545DE79F528E88C1B4481CE13,SHA256=168F2ED634A71F06EADCF13A1DE415824D0719DAC6727725146761DC835382D5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000342339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.600{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000342338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.599{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000342337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.598{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 23542300x8000000000000000342336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.598{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=720C3BE894406154CDCC9EB0E161D2F4,SHA256=E7A2FCA69D4A1CFCD7AFE237953D61D172F2DB285B891191154259210EF37B90,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000342335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.598{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000342334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.597{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000342333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.597{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mfperfhelper.dll10.0.14393.0 (rs1_release.160715-1616)MFPerf DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfperfhelper.dllMD5=DAD53152E620AB1D256F531CCDDF4C96,SHA256=577A697C088A319A9839989E18548F46121E661D56C701DE0360905E814BC12D,IMPHASH=A00BC62B03D75EE2D584A9E7EFBA79A6trueMicrosoft WindowsValid 734700x8000000000000000342332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.596{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msmpeg2vdec.dll10.0.14393.5006 (rs1_release.220301-1704)Microsoft DTV-DVD Video DecoderMicrosoft® Windows® Operating SystemMicrosoft CorporationMSMPEG2VDEC.dllMD5=F9F5163A7D9FABBA6525A212AB0EA8C8,SHA256=E8426B1A9761BD88599033D091BFBD03A27A23171B159C3BD135C9F10E2A61E1,IMPHASH=6B91AF8A332F21F82F6117F8D9E0B8DBtrueMicrosoft WindowsValid 734700x8000000000000000342331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.596{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000342330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.593{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000342329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.591{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000342328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.589{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 23542300x8000000000000000342327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.589{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84386CCB9FA9F61E37DCE0781C96DD7E,SHA256=EADA6D8D0A4AF55087A355B913384F038DD2F02FBBAA77251AEFB871344D55BA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000342326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.588{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000342325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.587{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000342324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.587{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000342323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.587{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\evr.dll10.0.14393.2515 (rs1_release_1.180830-1044)Enhanced Video Renderer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationevr.dllMD5=4F00E99C3E92226B072C0E80D52A82F4,SHA256=7788212BD473C69B3C8F6705A7470BE783BE0244BC289334EFA579AAD2C9A91C,IMPHASH=C44CF843A574B60FED1B4D29827EBA14trueMicrosoft WindowsValid 734700x8000000000000000342322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.586{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000342321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.585{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\dxva2.dll10.0.14393.0 (rs1_release.160715-1616)DirectX Video Acceleration 2.0 DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdxva2.dllMD5=DE24CAC5A0B3CE1AD8057FE258712365,SHA256=5CA1E7FBA01D92AA3F933A00E495460DC5DB38DAD2CAD370782474F50F9C964E,IMPHASH=338B9EB254A5341CE890B2511DF3DFAEtrueMicrosoft WindowsValid 734700x8000000000000000342320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.585{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000342319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.584{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000342318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.584{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mf.dll10.0.14393.5006 (rs1_release.220301-1704)Media Foundation DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmf.dllMD5=B3125628D278292F8EB16B1DC0B7DDAF,SHA256=6BF3676FC778B95462F080EA33815AB5FCCC0EA2DE4EB086FCE786E2E1FD2662,IMPHASH=224763A9487AA02E14432742CBC2F08EtrueMicrosoft WindowsValid 734700x8000000000000000342317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.582{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\RTWorkQ.dll10.0.14393.479 (rs1_release.161110-2025)Realtime WorkQueue DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationRTWorkQ.dllMD5=1EABA23A7305A232C9A16C14806ED091,SHA256=3AD1A84A56EE0DA68B40D40770787FEED3DCF4A74BE172F01BD837FD680396E6,IMPHASH=41E263D9EB0100A59E34B18CF8F6F725trueMicrosoft WindowsValid 734700x8000000000000000342316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.581{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000342315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.581{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000342314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.580{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000342313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.580{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mfplat.dll10.0.14393.4169 (rs1_release.210107-1130)Media Foundation Platform DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmfplat.dllMD5=6B3DD2386B60D0003B3A0A1AE706A9C5,SHA256=2DF94FA3C88D5D8AB5A981C0182263B5D8161CE0F96687D2DF7892EB4F25104C,IMPHASH=4B0B41F559164385A004BCC689586F63trueMicrosoft WindowsValid 734700x8000000000000000342312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.579{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 23542300x8000000000000000342311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.579{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\17610MD5=8C0D43B108A36B02FB72B6D5ED2932EB,SHA256=8EE9A9CB7581B5DE8324A3E91FC6439CD70186946FC8BFA38E6F7B93183E10C2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000342310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.579{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000342309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.578{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.572{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.572{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.571{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.571{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.570{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.570{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.570{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.27.2090397917\1532420193" -parentBuildID 20220902153754 -sandboxingKind 1 -prefsHandle 8980 -prefMapHandle 3980 -prefsLen 31603 -prefMapSize 231974 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 4292 2612e365048 utilityC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000342301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.569{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.569{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.568{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.568{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.568{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.568{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozavutil.dll104.0.2-FirefoxMozilla Foundationmozavutil.dllMD5=93209E2F0966FD267CCA5D52ED209298,SHA256=1B62422C2A6AF6AF87C781291CCE8D5AB31821F77BC1791E43F7A0CF4161B82C,IMPHASH=11BB9E641A35A22B0C79747CAD934F04trueMozilla CorporationValid 10341000x8000000000000000342295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.568{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.568{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.567{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.567{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.567{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozavcodec.dll104.0.2-FirefoxMozilla Foundationmozavcodec.dllMD5=EF512B58F9F81486D14C33A60FCCF6EF,SHA256=DCCC26865E7C4842AC289219E0026654E454C3C1966ABB08D0DE6C25C046EAA9,IMPHASH=3FF103720EF814BD7CF637C6C5C071CFtrueMozilla CorporationValid 10341000x8000000000000000342290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.567{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.567{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.567{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.566{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.566{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.566{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.566{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.566{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.565{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.565{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.565{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.564{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.564{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.564{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.564{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 10341000x8000000000000000342275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.564{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.564{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.563{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.563{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.563{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 17141700x8000000000000000342270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:24.563{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.27.209039791C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.562{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000342268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.561{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000342267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:24.561{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.26.58132647C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000342266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.558{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000342265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:24.557{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.550{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000342263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.550{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000342262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.549{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000342261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.549{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000342260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.548{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000342259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.548{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000342258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.547{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000342257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.547{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000342256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.546{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000342255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.546{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000342254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.545{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000342253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.544{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000342252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.544{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000342251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.542{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000342250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.540{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000342249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.539{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000342248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.539{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.538{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000342246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.537{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000342245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.536{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000342244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.536{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000342243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.535{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000342242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.534{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000342241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.534{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000342240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.531{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000342239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.530{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000342238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.529{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000342237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.528{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000342236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.527{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000342235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.526{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000342234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.526{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000342233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.523{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000342232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.523{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000342231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.522{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.522{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000342229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.521{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.516{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.516{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.515{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.515{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.515{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.514{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.514{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.26.581326470\1730321546" -parentBuildID 20220902153754 -prefsHandle 7116 -prefMapHandle 4728 -prefsLen 31603 -prefMapSize 231974 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 8652 2612e2d3f48 rddC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000342221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.513{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.513{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.513{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.513{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.512{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.512{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\avrt.dll10.0.14393.2969 (rs1_release.190503-1820)Multimedia Realtime RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationavrt.dllMD5=8EC9E2490A9FFA637115F758B22FFF78,SHA256=1A3295CBF09E9367CCE68505D949D724FB9B66B4516770B7D594273C3BCFC5B8,IMPHASH=F266C00A61E480BB0A81B1A89DB30014trueMicrosoft WindowsValid 10341000x8000000000000000342215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.512{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.512{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.512{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.512{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.511{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.511{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.511{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.511{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.511{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.511{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.510{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.510{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.510{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.510{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.509{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.509{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.509{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.509{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.508{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.508{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.508{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000342194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:24.507{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.26.58132647C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.501{6820D070-4D98-6323-0701-000000007502}5152C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozavcodec.dll104.0.2-FirefoxMozilla Foundationmozavcodec.dllMD5=EF512B58F9F81486D14C33A60FCCF6EF,SHA256=DCCC26865E7C4842AC289219E0026654E454C3C1966ABB08D0DE6C25C046EAA9,IMPHASH=3FF103720EF814BD7CF637C6C5C071CFtrueMozilla CorporationValid 734700x8000000000000000342192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.500{6820D070-4D98-6323-0701-000000007502}5152C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozavutil.dll104.0.2-FirefoxMozilla Foundationmozavutil.dllMD5=93209E2F0966FD267CCA5D52ED209298,SHA256=1B62422C2A6AF6AF87C781291CCE8D5AB31821F77BC1791E43F7A0CF4161B82C,IMPHASH=11BB9E641A35A22B0C79747CAD934F04trueMozilla CorporationValid 354300x8000000000000000342191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.462{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50208-false142.250.191.161ord38s30-in-f1.1e100.net443https 354300x8000000000000000342190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.461{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50207-false142.250.191.162ord38s30-in-f2.1e100.net443https 354300x8000000000000000342189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.438{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50206-false142.250.191.162ord38s30-in-f2.1e100.net443https 734700x8000000000000000342188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.400{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000342187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.398{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000342186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.397{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000342185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.425{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50205-false142.250.191.161ord38s30-in-f1.1e100.net443https 354300x8000000000000000342184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.425{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50204-false142.250.191.161ord38s30-in-f1.1e100.net443https 354300x8000000000000000342183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.423{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50203-false142.250.191.161ord38s30-in-f1.1e100.net443https 354300x8000000000000000342182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.422{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50202-false142.250.191.161ord38s30-in-f1.1e100.net443https 354300x8000000000000000342181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.421{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50201-false142.250.191.161ord38s30-in-f1.1e100.net443https 354300x8000000000000000342180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.403{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59604- 354300x8000000000000000342179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.399{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50200-false142.250.191.162ord38s30-in-f2.1e100.net443https 354300x8000000000000000342178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.383{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62886- 354300x8000000000000000342177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.381{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55874- 354300x8000000000000000342176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.380{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56174- 10341000x8000000000000000342175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.229{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF7-6323-1801-000000007502}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.229{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF7-6323-1801-000000007502}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.229{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF7-6323-1801-000000007502}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.228{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF7-6323-1801-000000007502}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.228{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF7-6323-1801-000000007502}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.228{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF7-6323-1801-000000007502}6996C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000342169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.220{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000342168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.220{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000342167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.219{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000342166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.218{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000342165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.216{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000342164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.216{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000342163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.216{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000342162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.215{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000342161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.207{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000342160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.207{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000342159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.206{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000342158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.206{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000342157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.206{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000342156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.204{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000342155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.204{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.204{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000342153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.204{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000342152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.204{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000342151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.204{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000342150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.203{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000342149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.203{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000342148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.203{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000342147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.203{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000342146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.202{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000342145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.202{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000342144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.202{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000342143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.201{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000342142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.201{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000342141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.201{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000342140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.201{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000342139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.201{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000342138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.201{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000342137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.201{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000342136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.201{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000342135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.201{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000342134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.200{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000342133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.199{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.198{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000342131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.197{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000342130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.196{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.196{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000342128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.195{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.195{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.195{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.195{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.195{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.194{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.194{6820D070-4DF8-6323-1901-000000007502}6552C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000342121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.156{6820D070-4DF6-6323-1501-000000007502}6864C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 23542300x8000000000000000342120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.144{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\9373MD5=600925888DCECECCF117805A1A4E60A9,SHA256=68D5B033F7C9C0FC6763D5BAF36B8065F25C3230F699E49D914D8E75E3B1BCD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.062{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF6-6323-1501-000000007502}6864C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e76f08|C:\Program Files\Mozilla Firefox\xul.dll+e65430|C:\Program Files\Mozilla Firefox\xul.dll+42b8d36|C:\Program Files\Mozilla Firefox\xul.dll+2412b58|C:\Program Files\Mozilla Firefox\xul.dll+9b8b70|C:\Program Files\Mozilla Firefox\xul.dll+9707a1|C:\Program Files\Mozilla Firefox\xul.dll+1810d8|C:\Program Files\Mozilla Firefox\xul.dll+9bc4e5|C:\Program Files\Mozilla Firefox\xul.dll+97c5dc|C:\Program Files\Mozilla Firefox\xul.dll+97f821|C:\Program Files\Mozilla Firefox\xul.dll+97e4db|C:\Program Files\Mozilla Firefox\xul.dll+97d705|C:\Program Files\Mozilla Firefox\xul.dll+988af0|C:\Program Files\Mozilla Firefox\xul.dll+8b5b12|C:\Program Files\Mozilla Firefox\xul.dll+83635f|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f 22542200x8000000000000000342118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.086{6820D070-4D64-6323-ED00-000000007502}6140t.teads.tv0type: 5 t.teads.tv.edgekey.net;type: 5 e9957.d.akamaiedge.net;::ffff:23.48.205.83;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:22.416{6820D070-4D64-6323-ED00-000000007502}6140cdn-content.ampproject.org02607:f8b0:4009:804::2001;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000189935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.211{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.202{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.189{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.184{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.178{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.166{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.166{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.162{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.162{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.159{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.154{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.153{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.151{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.149{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.148{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.146{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.138{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.134{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.128{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.128{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.120{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.109{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.097{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.095{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.087{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.047{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.039{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.029{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000189907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.017{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000343200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.695{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.694{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.694{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.694{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000343196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.694{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000343195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.694{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.694{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x8000000000000000343193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.693{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.693{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.693{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.693{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.693{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.693{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.693{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.693{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 10341000x8000000000000000343185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.693{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.693{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.693{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000343182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.693{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.693{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.2036714979929309955C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.693{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.2036714979929309955C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.692{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.692{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.692{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.692{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.692{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 10341000x8000000000000000343174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.692{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.692{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000343172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.692{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000343171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.692{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000343170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.691{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.691{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000343168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.691{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.691{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 10341000x8000000000000000343166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.691{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.690{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000343164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.690{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.689{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000343162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.688{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000343161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.687{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000343160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.687{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000343159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.687{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000343158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.686{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.686{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0885|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.686{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.36.1347607478\1179556380" -childID 33 -isForBrowser -prefsHandle 7420 -prefMapHandle 6988 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 5980 2612f6d0248 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000343155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.684{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.684{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000343153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.684{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000343152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.684{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000343151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.684{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.684{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.684{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.683{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.683{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000343146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.683{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.683{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.683{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.683{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 10341000x8000000000000000343142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.683{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.682{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.682{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.682{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.682{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000343137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.682{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000343136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.682{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.682{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.681{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.681{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.681{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7f91c|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.681{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.681{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.681{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x8000000000000000343128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.680{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.680{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.680{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000343125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.680{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.680{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x8000000000000000343123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.679{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.679{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.31.49646927C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.679{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.679{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.679{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 10341000x8000000000000000343118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.678{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.678{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.677{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000343115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.677{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000343114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.676{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000343113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.675{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x8000000000000000343112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.675{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.674{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 10341000x8000000000000000343110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.673{6820D070-4B7C-6323-8800-000000007502}628648C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000343109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.673{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x8000000000000000343108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.673{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0885|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.673{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.35.1838670629\1815245939" -childID 32 -isForBrowser -prefsHandle 8840 -prefMapHandle 7844 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 6136 2612f44d948 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x8000000000000000343106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.672{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000343105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.672{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x8000000000000000343104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.671{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.671{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.671{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 10341000x8000000000000000343101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.671{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.671{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.671{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.671{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.670{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.670{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.670{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.670{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000343093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.670{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.670{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.669{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.669{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.669{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.668{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.668{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.668{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.668{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.667{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.667{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.667{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.667{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.667{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.666{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.666{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.666{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 10341000x8000000000000000343076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.666{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.666{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000343074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.666{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.665{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000343072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.665{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000343071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.664{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.664{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000343069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.663{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000343068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.663{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 10341000x8000000000000000343067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.663{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.662{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.662{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.662{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000343063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.662{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.662{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000343061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.661{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000343060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.660{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000343059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.659{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.659{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.659{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000343056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.659{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 18141800x8000000000000000343055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.658{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.17537434261390808517C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.658{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.17537434261390808517C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.657{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000343052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.655{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7f91c|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.654{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.30.108962691C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.653{6820D070-4B7C-6323-8800-000000007502}628648C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 17141700x8000000000000000343049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.653{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.37.68911627C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.653{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0885|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.644{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.34.992401490\1797112337" -childID 31 -isForBrowser -prefsHandle 6608 -prefMapHandle 6612 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 8876 2612f44be48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 354300x8000000000000000343046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.969{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50228-false142.250.190.106ord37s35-in-f10.1e100.net443https 354300x8000000000000000343045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.943{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55136- 354300x8000000000000000343044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.838{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50227-false68.67.160.75673.bm-nginx-loadbalancer.mgmt.nym2.adnexus.net443https 354300x8000000000000000343043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.815{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50226-false68.67.160.75673.bm-nginx-loadbalancer.mgmt.nym2.adnexus.net443https 354300x8000000000000000343042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.805{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56802- 354300x8000000000000000343041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.799{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60194- 354300x8000000000000000343040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.686{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58632- 354300x8000000000000000343039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.686{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55202- 354300x8000000000000000343038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.685{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57422- 354300x8000000000000000343037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.685{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64071- 354300x8000000000000000343036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.634{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50225-false69.192.209.51a69-192-209-51.deploy.static.akamaitechnologies.com443https 354300x8000000000000000343035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.614{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64610- 17141700x8000000000000000343034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.651{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.36.134760747C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.646{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.35.183867062C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.646{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.646{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.646{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000343029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.645{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000343028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.645{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000343027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.644{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000343026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.643{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000343025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.643{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.643{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.643{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.643{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000343021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.642{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x8000000000000000343020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.642{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.642{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.642{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.642{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000343016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.641{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.641{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.641{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 10341000x8000000000000000343013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.641{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.641{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.641{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.640{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.640{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.640{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.640{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000343006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.640{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.640{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.640{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 10341000x8000000000000000343003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.639{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.639{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000343001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.639{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.639{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.639{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000342998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.639{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.638{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.638{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000342995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.638{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.638{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 10341000x8000000000000000342993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.638{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.638{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.638{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.637{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.637{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.637{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 10341000x8000000000000000342987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.637{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.637{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.637{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000342984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.636{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x8000000000000000342983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.636{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.636{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000342981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.636{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000342980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.635{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000342979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.635{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000342978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.634{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.634{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 734700x8000000000000000342976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.633{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 10341000x8000000000000000342975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.633{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.633{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000342973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.631{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000342972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.631{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000342971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.631{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000342970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.630{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.630{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000342968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.629{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000342967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.629{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000342966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.628{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000342965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.628{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000342964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.628{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000342963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.628{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000342962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.627{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.627{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000342960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.627{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000342959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.627{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000342958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.627{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000342957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.626{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 18141800x8000000000000000342956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.626{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.15157304014946469057C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000342955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.625{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.15157304014946469057C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000342954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.625{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000342953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.625{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 10341000x8000000000000000342952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.625{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0885|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.625{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.33.1059937282\1542977901" -childID 30 -isForBrowser -prefsHandle 6624 -prefMapHandle 6628 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 6488 2612f275948 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x8000000000000000342950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.624{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000342949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.624{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000342948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.624{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000342947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.624{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000342946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.624{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 10341000x8000000000000000342945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.623{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.623{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000342943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.623{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.623{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000342941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.623{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.623{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000342939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.623{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.623{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.623{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.623{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 10341000x8000000000000000342935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.622{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.622{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 10341000x8000000000000000342933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.622{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.622{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000342931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.622{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.622{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000342929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.622{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x8000000000000000342928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.622{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.622{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000342926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.622{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.29.46343182C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.622{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000342924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.622{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 10341000x8000000000000000342923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.621{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.621{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000342921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.621{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.621{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000342919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.621{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 10341000x8000000000000000342918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.621{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.620{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x8000000000000000342916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.620{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.620{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.620{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.620{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x8000000000000000342912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.620{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.620{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.620{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x8000000000000000342909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.619{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.619{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.619{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000342906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.619{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 10341000x8000000000000000342905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.619{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.619{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 10341000x8000000000000000342903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.619{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.618{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.618{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000342900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.618{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000342899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.618{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000342898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.618{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.617{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000342896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.617{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 10341000x8000000000000000342895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.617{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.617{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.616{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000342892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.616{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.616{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.616{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000342889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.616{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.615{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000342887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.615{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000342886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.615{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000342885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.615{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000342884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.614{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000342883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.614{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000342882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.614{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000342881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.614{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000342880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.614{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.614{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.614{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.613{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 734700x8000000000000000342876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.611{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000342875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.610{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000342874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.609{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000342873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.608{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000342872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.608{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x8000000000000000342871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.607{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000342870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.607{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000342869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.607{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 10341000x8000000000000000342868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.607{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0885|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.607{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 154100x8000000000000000342866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.606{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.32.234959758\727143238" -childID 29 -isForBrowser -prefsHandle 3360 -prefMapHandle 7176 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 6600 2612e5e0548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x8000000000000000342865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.607{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000342864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.606{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000342863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.606{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000342862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.606{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000342861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.605{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000342860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.605{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000342859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.605{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000342858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.604{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.604{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.604{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000342855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.604{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000342854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.603{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 10341000x8000000000000000342853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.602{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.602{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.602{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000342850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.601{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.601{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000342848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.601{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000342847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.601{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.601{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.601{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x8000000000000000342844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.601{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.600{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.600{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.600{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000342840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.600{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000342839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.600{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.600{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.600{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.599{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000342835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.599{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.599{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.599{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.599{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.598{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.598{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.598{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.598{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.598{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x8000000000000000342826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.597{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.597{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000342824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.597{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.597{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.597{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 10341000x8000000000000000342821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.597{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.596{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.596{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x8000000000000000342818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.596{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.596{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000342816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.595{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000342815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.595{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000342814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.594{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000342813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.593{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000342812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.591{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.591{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0885|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.591{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.31.496469274\163692801" -childID 28 -isForBrowser -prefsHandle 6912 -prefMapHandle 6892 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 6868 2612a1d4f48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000342809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.590{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.589{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.589{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.589{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.589{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000342804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.589{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000342803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.588{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.588{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.588{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.588{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000342799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.588{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.588{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.588{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 10341000x8000000000000000342796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.587{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.587{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.587{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.587{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.587{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000342791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.587{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 10341000x8000000000000000342790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.587{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.586{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 10341000x8000000000000000342788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.586{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.586{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.586{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000342785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.586{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000342784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.586{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x8000000000000000342783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.585{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.585{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.585{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.585{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 10341000x8000000000000000342779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.585{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.585{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000342777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.585{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000342776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.585{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000342775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.585{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000342774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.584{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000342773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.584{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000342772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.584{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000342771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.584{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000342770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.584{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000342769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.584{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 10341000x8000000000000000342768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.584{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.584{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.584{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000342765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.583{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.583{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000342763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.583{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000342762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.583{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.583{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000342760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.583{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 10341000x8000000000000000342759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.583{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.583{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x8000000000000000342757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.583{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.583{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000342755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.582{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000342754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.582{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000342753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.582{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.581{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000342751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.581{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000342750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.581{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000342749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.581{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000342748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.581{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000342747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.579{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.581{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000342745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.580{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000342744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.580{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 17141700x8000000000000000342743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.580{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.34.99240149C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.580{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 734700x8000000000000000342741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.580{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000342740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.580{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000342739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.579{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.579{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BE0753C5DF4E05E61FFFED3F11B0110,SHA256=DC9D28F9E2EEE48942A6C8D08FCEEDF0044C784D2430033851CE49C8103F558C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000342737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.578{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.578{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000342735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.578{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.33.105993728C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.577{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x8000000000000000342733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.577{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.575{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000342731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.575{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000342730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.574{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000342729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.574{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000342728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.574{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000342727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.573{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 17141700x8000000000000000342726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.573{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.32.23495975C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.573{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 10341000x8000000000000000342724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.573{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.573{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000342722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.572{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.572{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 734700x8000000000000000342720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.572{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000342719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.572{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.572{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.572{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.571{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.571{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.30.1089626910\1760616962" -childID 27 -isForBrowser -prefsHandle 6784 -prefMapHandle 6788 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 6792 2612f260448 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000342714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.570{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.570{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.570{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.569{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.569{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.569{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.569{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.569{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.568{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.568{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.568{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.568{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000342702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.568{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.568{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.567{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.567{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000342698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.567{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.31.49646927C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000342697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.567{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.567{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.567{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.566{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.566{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000342692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.566{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.566{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.566{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.566{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.565{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.565{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.565{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.565{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.565{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000342683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.564{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.562{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000342681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.561{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.30.108962691C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.560{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.559{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000342678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.559{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.557{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.557{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.555{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.555{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.551{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.550{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.550{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.29.463431823\1880803342" -childID 26 -isForBrowser -prefsHandle 4796 -prefMapHandle 6888 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 6840 2612f260148 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000342670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.549{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.549{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.549{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.549{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.548{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.548{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.548{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.547{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.547{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.547{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.547{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.547{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.546{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.546{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.546{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.545{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.545{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.545{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.545{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.544{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.544{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.544{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.542{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.542{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.542{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.541{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000342644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.538{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.29.46343182C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000342643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.519{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e76f08|C:\Program Files\Mozilla Firefox\xul.dll+e65430|C:\Program Files\Mozilla Firefox\xul.dll+42b8d36|C:\Program Files\Mozilla Firefox\xul.dll+2412b58|C:\Program Files\Mozilla Firefox\xul.dll+9b8b70|C:\Program Files\Mozilla Firefox\xul.dll+9707a1|C:\Program Files\Mozilla Firefox\xul.dll+1810d8|C:\Program Files\Mozilla Firefox\xul.dll+9bc4e5|C:\Program Files\Mozilla Firefox\xul.dll+97c5dc|C:\Program Files\Mozilla Firefox\xul.dll+97f821|C:\Program Files\Mozilla Firefox\xul.dll+97e4db|C:\Program Files\Mozilla Firefox\xul.dll+97d705|C:\Program Files\Mozilla Firefox\xul.dll+988af0|C:\Program Files\Mozilla Firefox\xul.dll+8b5b12|C:\Program Files\Mozilla Firefox\xul.dll+83635f|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb 354300x8000000000000000342642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.478{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local64561-false172.217.4.34ord38s18-in-f2.1e100.net443https 10341000x8000000000000000342641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.464{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.464{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.464{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.463{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.463{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.463{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000342635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.440{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF7-6323-1801-000000007502}6996C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e76f08|C:\Program Files\Mozilla Firefox\xul.dll+e65430|C:\Program Files\Mozilla Firefox\xul.dll+42b8d36|C:\Program Files\Mozilla Firefox\xul.dll+2412b58|C:\Program Files\Mozilla Firefox\xul.dll+9b8b70|C:\Program Files\Mozilla Firefox\xul.dll+9707a1|C:\Program Files\Mozilla Firefox\xul.dll+1810d8|C:\Program Files\Mozilla Firefox\xul.dll+9bc4e5|C:\Program Files\Mozilla Firefox\xul.dll+97c5dc|C:\Program Files\Mozilla Firefox\xul.dll+97f821|C:\Program Files\Mozilla Firefox\xul.dll+97e4db|C:\Program Files\Mozilla Firefox\xul.dll+97d705|C:\Program Files\Mozilla Firefox\xul.dll+988af0|C:\Program Files\Mozilla Firefox\xul.dll+8b5b12|C:\Program Files\Mozilla Firefox\xul.dll+83635f|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f 10341000x8000000000000000342634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.420{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF6-6323-1601-000000007502}5640C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e76f08|C:\Program Files\Mozilla Firefox\xul.dll+e65430|C:\Program Files\Mozilla Firefox\xul.dll+42b8d36|C:\Program Files\Mozilla Firefox\xul.dll+2412b58|C:\Program Files\Mozilla Firefox\xul.dll+9b8b70|C:\Program Files\Mozilla Firefox\xul.dll+9707a1|C:\Program Files\Mozilla Firefox\xul.dll+1810d8|C:\Program Files\Mozilla Firefox\xul.dll+9bc4e5|C:\Program Files\Mozilla Firefox\xul.dll+97c5dc|C:\Program Files\Mozilla Firefox\xul.dll+97f821|C:\Program Files\Mozilla Firefox\xul.dll+97e4db|C:\Program Files\Mozilla Firefox\xul.dll+97d705|C:\Program Files\Mozilla Firefox\xul.dll+988af0|C:\Program Files\Mozilla Firefox\xul.dll+8b5b12|C:\Program Files\Mozilla Firefox\xul.dll+83635f|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f 354300x8000000000000000342633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.397{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50224-false172.217.4.34ord38s18-in-f2.1e100.net443https 354300x8000000000000000342632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.381{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64560- 354300x8000000000000000342631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.379{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55099- 354300x8000000000000000342630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.348{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54639- 354300x8000000000000000342629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.347{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59147- 354300x8000000000000000342628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.346{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56615- 354300x8000000000000000342627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.343{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58814- 354300x8000000000000000342626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.341{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61693- 354300x8000000000000000342625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.340{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60356- 354300x8000000000000000342624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.295{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50223-false35.170.152.34ec2-35-170-152-34.compute-1.amazonaws.com443https 354300x8000000000000000342623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.294{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50222-false74.119.119.150-443https 354300x8000000000000000342622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.285{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55200- 354300x8000000000000000342621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.283{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50221-false52.223.40.198a6370ebea231e0c9a.awsglobalaccelerator.com443https 354300x8000000000000000342620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.283{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60713- 354300x8000000000000000342619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.283{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53757- 354300x8000000000000000342618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.281{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57194- 354300x8000000000000000342617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.281{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54075- 354300x8000000000000000342616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.279{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53944- 354300x8000000000000000342615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.278{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61607- 354300x8000000000000000342614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.278{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64387- 354300x8000000000000000342613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.272{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50220-false69.192.209.51a69-192-209-51.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.270{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50219-false69.192.209.51a69-192-209-51.deploy.static.akamaitechnologies.com443https 354300x8000000000000000342611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.268{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53531- 354300x8000000000000000342610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.268{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59686- 354300x8000000000000000342609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.267{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56320- 354300x8000000000000000342608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.265{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61514- 354300x8000000000000000342607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.252{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64367- 354300x8000000000000000342606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.229{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61150- 354300x8000000000000000342605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.187{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50218-false52.73.161.63ec2-52-73-161-63.compute-1.amazonaws.com443https 734700x8000000000000000342604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.156{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000342603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.156{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000342602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.152{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.150{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000342600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.150{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D581FF203B6DDDAE91DC9123B93E27D7,SHA256=B9D69DEF5B5970517827A69C7C33051EA324080036427201B82F7FCF185FFEDD,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000342599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.146{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000342598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.145{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000342597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.144{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000342596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.141{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000342595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.140{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.140{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.140{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000342592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.138{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000342591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.136{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000342590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.136{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000342589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.135{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000342588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.135{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000342587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.134{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x8000000000000000342586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.130{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-24C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000342585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.130{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-24C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.128{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000342583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.128{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000342582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.127{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000342581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.113{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.112{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000342579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.111{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x8000000000000000342578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.111{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.18370384061194943154C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000342577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.111{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.18370384061194943154C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.111{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000342575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.110{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000342574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.110{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.28.49449374C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000342573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.106{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000342572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.106{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.101{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000342570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.100{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000342569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.100{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000342568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.100{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000342567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.099{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000342566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.099{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000342565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.098{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000342564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.098{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000342563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.098{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000342562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.097{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000342561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.096{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000342560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.095{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000342559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.094{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000342558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.094{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000342557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.094{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000342556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.094{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000342555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.093{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000342554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.091{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000342553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.088{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000342552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.088{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000342551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.087{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.087{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000342549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.086{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000342548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.086{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000342547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.084{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000342546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.083{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000342545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.083{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000342544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.082{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000342543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.082{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000342542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.082{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000342541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.081{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000342540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.079{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000342539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.079{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000342538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.078{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+e75602|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000342537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.078{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000342536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.078{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000342535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.077{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.072{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.072{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.072{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.072{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.072{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000342529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.071{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000342528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.071{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.28.494493743\100157754" -childID 25 -isForBrowser -prefsHandle 8908 -prefMapHandle 2452 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 7408 2612e5d1748 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000342527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.070{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.070{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.070{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.070{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.069{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.068{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.068{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.068{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.068{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.068{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.067{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.067{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.067{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.067{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.067{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.067{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.067{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.067{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.067{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.063{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.063{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.063{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.063{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.063{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.063{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000342502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.063{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000342501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.063{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.28.49449374C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000342500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.013{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000342499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.012{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000342498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.011{6820D070-4DF8-6323-1C01-000000007502}6284C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 22542200x8000000000000000342497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.622{6820D070-4D64-6323-ED00-000000007502}6140studio-t.teads.tv0type: 5 studio-t.teads.tv.edgekey.net;type: 5 e9957.e4.akamaiedge.net;::ffff:69.192.209.51;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.293{6820D070-4D64-6323-ED00-000000007502}6140ds-pr-bh.ybp.gysm.yahoodns.net02600:1f18:4e9:5a02:b371:809f:9514:eb53;2600:1f18:4e9:5a05:19c6:8f54:3d13:3206;2600:1f18:4e9:5a05:44f2:53f2:bfb5:4a94;2600:1f18:4e9:5a02:7151:3347:86d6:a72f;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.291{6820D070-4D64-6323-ED00-000000007502}6140ds-pr-bh.ybp.gysm.yahoodns.net052.71.220.196;3.224.202.184;35.170.152.34;44.205.131.114;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.290{6820D070-4D64-6323-ED00-000000007502}6140pr-bh.ybp.yahoo.com0type: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:44.205.131.114;::ffff:52.71.220.196;::ffff:3.224.202.184;::ffff:35.170.152.34;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.289{6820D070-4D64-6323-ED00-000000007502}6140pr-bh.ybp.yahoo.com0type: 5 ds-pr-bh.ybp.gysm.yahoodns.net;::ffff:35.170.152.34;::ffff:44.205.131.114;::ffff:52.71.220.196;::ffff:3.224.202.184;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.281{6820D070-4D64-6323-ED00-000000007502}6140e9957.dsce4.akamaiedge.net02600:141b:e800:28e::26e5;2600:141b:e800:28d::26e5;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.260{6820D070-4D64-6323-ED00-000000007502}6140e9957.dsce4.akamaiedge.net069.192.209.51;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.257{6820D070-4D64-6323-ED00-000000007502}6140s8t.teads.tv0type: 5 s8t.teads.tv-v2.edgekey.net;type: 5 e9957.dsce4.akamaiedge.net;::ffff:69.192.209.51;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.098{6820D070-4D64-6323-ED00-000000007502}6140be-ms.teads.tv9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.096{6820D070-4D64-6323-ED00-000000007502}6140be-ms.teads.tv03.232.210.179;3.233.88.190;34.197.173.108;52.73.161.63;100.26.103.188;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.095{6820D070-4D64-6323-ED00-000000007502}6140be-ms.teads.tv0::ffff:100.26.103.188;::ffff:3.232.210.179;::ffff:3.233.88.190;::ffff:34.197.173.108;::ffff:52.73.161.63;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.094{6820D070-4D64-6323-ED00-000000007502}6140be-ms.teads.tv0::ffff:52.73.161.63;::ffff:100.26.103.188;::ffff:3.232.210.179;::ffff:3.233.88.190;::ffff:34.197.173.108;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.094{6820D070-4D64-6323-ED00-000000007502}6140e9957.e4.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.092{6820D070-4D64-6323-ED00-000000007502}6140e9957.e4.akamaiedge.net069.192.209.51;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.091{6820D070-4D64-6323-ED00-000000007502}6140e9957.d.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.090{6820D070-4D64-6323-ED00-000000007502}6140sync.teads.tv0type: 5 sync.teads.tv.edgekey.net;type: 5 e9957.e4.akamaiedge.net;::ffff:69.192.209.51;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000342481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.089{6820D070-4D64-6323-ED00-000000007502}6140e9957.d.akamaiedge.net023.48.205.83;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000189936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:25.037{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA787BE3130E46F9F7E0C72721426240,SHA256=B52EED7A6C0917F9F7B04616DD8ABC6D0C966CBD60DB7AB571389B492D04E456,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000344498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.978{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000344497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.976{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000344496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.946{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.946{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.946{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.945{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.945{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.945{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.940{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.939{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.933{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000344487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.930{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000344486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.928{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000344485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.924{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000344484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.922{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.922{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.919{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000344481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.917{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000344480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.912{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000344479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.911{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000344478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.911{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000344477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.911{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000344476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.910{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x8000000000000000344475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.903{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-39C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000344474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.903{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-39C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.894{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000344472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.892{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000344471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.891{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000344470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.875{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 10341000x8000000000000000344469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.870{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.869{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 18141800x8000000000000000344467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.867{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.6391125599365286369C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000344466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.867{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.6391125599365286369C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.866{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000344464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.865{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000344463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.864{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000344462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.864{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000344461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.863{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.43.123221422C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000344460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.856{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000344459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.855{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.852{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000344457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.850{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000344456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.848{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000344455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.847{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000344454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.846{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000344453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.845{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000344452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.845{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000344451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.844{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000344450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.843{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000344449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.843{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000344448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.842{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000344447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.841{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000344446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.837{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000344445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.836{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000344444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.836{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000344443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.835{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000344442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.835{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000344441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.834{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000344440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.834{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000344439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.832{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000344438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.831{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000344437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.831{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000344436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.830{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.830{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000344434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.828{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000344433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.828{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000344432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.825{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.823{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x8000000000000000344430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.823{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.823{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000344428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.821{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000344427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.820{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000344426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.820{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000344425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.819{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000344424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.818{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000344423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.818{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.816{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.816{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000344420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.815{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000344419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.815{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000344418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.812{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.812{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000344416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.812{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000344415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.810{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.810{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 10341000x8000000000000000344413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.809{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.808{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000344411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.808{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000344410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.807{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 10341000x8000000000000000344409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.804{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.804{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.804{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.804{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000344405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.804{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.804{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000344403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.803{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000344402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.803{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.803{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000344400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.803{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.43.1232214228\777843737" -childID 40 -isForBrowser -prefsHandle 9460 -prefMapHandle 9540 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 10096 26129394748 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 354300x8000000000000000344399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.992{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59648- 354300x8000000000000000344398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.987{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54670- 354300x8000000000000000344397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.986{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50262-false67.202.105.21ip21.67-202-105.static.steadfastdns.net443https 354300x8000000000000000344396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.984{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54559- 354300x8000000000000000344395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.974{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56758- 354300x8000000000000000344394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.971{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55676- 354300x8000000000000000344393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.962{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56321- 354300x8000000000000000344392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.962{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64025- 354300x8000000000000000344391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.960{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55128- 354300x8000000000000000344390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.953{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58899- 354300x8000000000000000344389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.952{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56747- 354300x8000000000000000344388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.944{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57273- 354300x8000000000000000344387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.943{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60885- 354300x8000000000000000344386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.942{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58885- 354300x8000000000000000344385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.935{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50259-false216.200.232.253-443https 354300x8000000000000000344384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.933{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50261-false35.211.178.172172.178.211.35.bc.googleusercontent.com443https 354300x8000000000000000344383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.923{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50260-false3.218.90.66ec2-3-218-90-66.compute-1.amazonaws.com443https 354300x8000000000000000344382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.918{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50257-false23.39.61.5a23-39-61-5.deploy.static.akamaitechnologies.com443https 354300x8000000000000000344381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.913{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50258-false3.218.90.66ec2-3-218-90-66.compute-1.amazonaws.com443https 354300x8000000000000000344380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.901{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61386-false104.22.55.206-443https 354300x8000000000000000344379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.866{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50256-false207.198.113.204-443https 354300x8000000000000000344378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.865{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50254-false3.218.90.66ec2-3-218-90-66.compute-1.amazonaws.com443https 354300x8000000000000000344377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.865{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50255-false205.180.85.172iad02-login.dotomi.com443https 354300x8000000000000000344376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.850{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64239- 354300x8000000000000000344375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.779{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50253-false104.18.25.121-443https 354300x8000000000000000344374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.764{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50249-false35.211.178.172172.178.211.35.bc.googleusercontent.com443https 354300x8000000000000000344373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.764{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50250-false35.211.178.172172.178.211.35.bc.googleusercontent.com443https 354300x8000000000000000344372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.763{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50252-false199.127.204.147-443https 10341000x8000000000000000344371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.802{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.802{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.802{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.802{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x8000000000000000344367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.801{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.801{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.801{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.801{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.801{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.800{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.800{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 10341000x8000000000000000344360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.800{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.800{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.799{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.799{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.799{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.799{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.798{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.798{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.798{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.798{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x8000000000000000344350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.798{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.797{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.797{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.797{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.797{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.796{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.796{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 10341000x8000000000000000344343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.796{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.796{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.796{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.796{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.795{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.795{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000344337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.795{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000344336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.794{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000344335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.794{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000344334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.793{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 17141700x8000000000000000344333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.792{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.43.123221422C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000344332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.787{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-38C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000344331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.787{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-38C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.786{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000344329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.786{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000344328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.785{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000344327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.785{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000344326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.785{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000344325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.785{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000344324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.784{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000344323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.783{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x8000000000000000344322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.777{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-37C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000344321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.777{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-37C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.773{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000344319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.772{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 23542300x8000000000000000344318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.766{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\22983MD5=364931B4719C5D74C8FCFBA018DD3300,SHA256=2D30A7D4552EF56C94EA68B72C8CDF1AEBE16E3B031918C3A428E9DBE687ACFB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000344317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.769{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000344316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.764{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.763{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 18141800x8000000000000000344314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.762{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.12512446268011234564C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000344313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.762{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.12512446268011234564C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.761{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000344311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.759{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000344310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.758{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000344309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.758{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.42.177103838C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000344308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.750{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000344307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.749{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.745{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000344305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.744{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000344304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.740{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000344303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.739{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000344302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.739{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000344301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.739{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000344300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.738{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000344299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.738{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000344298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.738{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000344297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.738{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 10341000x8000000000000000344296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.737{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.737{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000344294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.736{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000344293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.735{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 23542300x8000000000000000344292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.734{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\23108MD5=1571F4F6A3D838A2BE5BAB44C8EAB3D8,SHA256=18E303DFF0AD86D20582ECF8A1E7A98680D1FAAA5F682939679FEA6D18F12671,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000344291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.733{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000344290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.733{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000344289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.733{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000344288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.732{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000344287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.731{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000344286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.731{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000344285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.730{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000344284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.730{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000344283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.729{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 18141800x8000000000000000344282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.727{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.8017165376195882793C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000344281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.727{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.8017165376195882793C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.726{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000344279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.724{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 10341000x8000000000000000344278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.723{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.723{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000344276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.722{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.722{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 23542300x8000000000000000344274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.722{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\22480MD5=87AF2538061823B6E236A15FCAEC919C,SHA256=1556C0ACBF31BC8DA6886403B35D976FBF35865DF9C9097F09C6369EC01CAAD5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000344273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.720{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000344272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.720{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000344271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.717{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000344270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.717{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 18141800x8000000000000000344269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.716{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.40.186030653C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.716{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000344267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.716{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000344266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.715{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000344265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.714{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000344264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.714{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000344263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.711{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000344262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.711{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000344261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.711{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.710{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.709{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.709{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000344257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.708{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.706{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.706{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000344254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.705{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.704{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.704{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.704{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.703{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000344249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.703{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\19842MD5=BCC6E226CF8475810778E538CF42BACB,SHA256=531BC5C4D633E8C3785903FB3BC66DD79178D44A558B33880F67ABE07D9FDF26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000344248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.699{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000344247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.699{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.699{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 154100x8000000000000000344245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.699{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.42.1771038388\153705863" -childID 39 -isForBrowser -prefsHandle 10144 -prefMapHandle 10156 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 9920 2612fcad648 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x8000000000000000344244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.699{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 10341000x8000000000000000344243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.697{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.697{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.697{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.697{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 10341000x8000000000000000344239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.697{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.697{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.697{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 10341000x8000000000000000344236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.696{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.696{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x8000000000000000344234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.696{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.696{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.695{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.695{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 10341000x8000000000000000344230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.694{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.693{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.693{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.693{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.693{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.693{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 10341000x8000000000000000344224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.693{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.692{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.692{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.692{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.691{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.691{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000344218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.690{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.690{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.689{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.689{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000344214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.689{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.689{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.689{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.688{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.688{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.688{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.688{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000344207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.687{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000344206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.687{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000344205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.686{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000344204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.685{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000344203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.685{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000344202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.684{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 23542300x8000000000000000344201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.684{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20C912DAA80FD013F21633C844DA59F5,SHA256=B64BF18552C51AE1F0861849FBBC2CBD7A31DEB9C285C6D296A542FCD4CA4198,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000344200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.683{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000344199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.681{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000344198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.680{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 17141700x8000000000000000344197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.680{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.42.177103838C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.680{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000344195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.680{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000344194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.679{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000344193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.679{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000344192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.678{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000344191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.676{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000344190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.676{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 18141800x8000000000000000344189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.674{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-36C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000344188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.674{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-36C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.671{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000344186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.671{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000344185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.670{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000344184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.666{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000344183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.666{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000344182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.662{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000344181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.657{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000344180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.655{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000344179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.654{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.654{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000344177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.651{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000344176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.651{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000344175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.650{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000344174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.649{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.2268168450521352753C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000344173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.649{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.2268168450521352753C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.649{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000344171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.649{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x8000000000000000344170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.648{6820D070-4DFA-6323-2A01-000000007502}82408244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.648{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000344168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.647{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000344167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.646{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000344166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.645{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.645{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 18141800x8000000000000000344164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.645{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.41.145357624C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000344163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.643{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.643{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.643{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.642{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.632{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000344158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.631{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.630{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000344156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.630{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000344155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.629{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000344154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.628{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000344153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.626{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000344152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.625{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000344151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.625{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000344150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.624{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000344149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.624{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000344148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.623{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000344147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.623{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000344146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.623{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000344145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.622{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000344144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.622{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000344143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.621{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000344142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.621{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000344141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.621{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000344140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.619{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000344139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.618{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000344138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.616{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000344137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.616{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000344136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.616{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000344135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.615{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000344134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.615{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000344133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.612{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000344132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.610{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000344131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.608{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000344130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.607{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000344129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.607{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.607{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000344127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.606{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000344126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.602{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000344125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.602{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000344124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.600{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000344123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.599{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000344122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.598{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.598{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000344120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.598{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000344119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.597{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000344118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.596{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 10341000x8000000000000000344117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.596{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.596{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.596{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 734700x8000000000000000344114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.596{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000344113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.595{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.594{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000344111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.593{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.593{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000344109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.592{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.592{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000344107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.592{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.591{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.575{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000344104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.574{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.574{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.574{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0885|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000344101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.574{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.41.1453576244\1501109275" -childID 38 -isForBrowser -prefsHandle 9936 -prefMapHandle 9920 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 10028 261302fa448 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000344100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.573{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.573{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.572{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.572{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.572{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.572{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.571{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.571{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.571{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.570{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.570{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.570{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.568{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.568{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.567{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.567{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.567{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.566{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.566{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.566{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.566{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.565{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.565{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.565{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.565{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.564{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.558{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000344073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.557{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000344072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.557{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.40.1860306530\1512722994" -childID 37 -isForBrowser -prefsHandle 9976 -prefMapHandle 5364 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 9836 2612ffe3848 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 17141700x8000000000000000344071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.556{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.41.145357624C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000344070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.556{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.556{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.555{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.555{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.555{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.555{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.554{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.554{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.554{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.551{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.550{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.548{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.548{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.548{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.547{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.547{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.547{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.544{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.544{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.544{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.543{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.543{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.543{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.542{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.542{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.540{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000344044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.537{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.40.186030653C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000344043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.532{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.531{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.531{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.528{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.492{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 354300x8000000000000000344038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.758{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60999- 354300x8000000000000000344037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.757{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50251-false199.38.167.129-443https 354300x8000000000000000344036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.755{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56681- 354300x8000000000000000344035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.752{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50248-false35.227.252.103-443https 354300x8000000000000000344034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.752{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50247-false69.173.151.100-443https 354300x8000000000000000344033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.751{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58696- 354300x8000000000000000344032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.750{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50246-false54.236.105.82ec2-54-236-105-82.compute-1.amazonaws.com443https 354300x8000000000000000344031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.712{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59103- 354300x8000000000000000344030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.712{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59358- 354300x8000000000000000344029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.711{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57473- 354300x8000000000000000344028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.711{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53941- 354300x8000000000000000344027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.710{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59075- 354300x8000000000000000344026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.710{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59873- 354300x8000000000000000344025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.708{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54325- 354300x8000000000000000344024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.708{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60182- 354300x8000000000000000344023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.707{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57576- 354300x8000000000000000344022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.697{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60536- 354300x8000000000000000344021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.694{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57293- 354300x8000000000000000344020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.686{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50243-false23.39.60.27a23-39-60-27.deploy.static.akamaitechnologies.com443https 354300x8000000000000000344019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.679{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50242-false13.33.165.6server-13-33-165-6.yto50.r.cloudfront.net443https 354300x8000000000000000344018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.677{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54587- 354300x8000000000000000344017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.675{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53733- 354300x8000000000000000344016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.674{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55170- 354300x8000000000000000344015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.673{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60310- 354300x8000000000000000344014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.672{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64045- 354300x8000000000000000344013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.671{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54425- 354300x8000000000000000344012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.668{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64209- 354300x8000000000000000344011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.668{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58616- 354300x8000000000000000344010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.664{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61069- 354300x8000000000000000344009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.663{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57703- 354300x8000000000000000344008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.662{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64535- 354300x8000000000000000344007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.661{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54261- 354300x8000000000000000344006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.661{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61623- 354300x8000000000000000344005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.660{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64753- 354300x8000000000000000344004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.660{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50241-false104.22.55.206-443https 354300x8000000000000000344003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.659{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55941- 354300x8000000000000000344002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.658{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59974- 354300x8000000000000000344001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.658{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60666- 354300x8000000000000000344000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.658{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53480- 354300x8000000000000000343999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.658{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59516- 354300x8000000000000000343998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.657{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63066- 354300x8000000000000000343997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.656{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55817- 354300x8000000000000000343996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.650{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58699- 354300x8000000000000000343995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.645{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58782- 354300x8000000000000000343994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.640{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54937- 354300x8000000000000000343993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.639{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58506- 354300x8000000000000000343992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.636{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53635- 10341000x8000000000000000343991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.392{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000343990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.629{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64603- 354300x8000000000000000343989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.623{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50239-false104.98.89.221a104-98-89-221.deploy.static.akamaitechnologies.com443https 354300x8000000000000000343988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.617{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55898- 354300x8000000000000000343987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.616{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50240-false35.71.139.29afb83dd09526a6517.awsglobalaccelerator.com443https 354300x8000000000000000343986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.616{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61055- 10341000x8000000000000000343985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.391{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000343984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.614{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63679- 354300x8000000000000000343983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.610{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50238-false146.75.33.108-443https 354300x8000000000000000343982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.607{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54405- 354300x8000000000000000343981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.602{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53568- 10341000x8000000000000000343980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.391{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000343979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.597{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62916- 354300x8000000000000000343978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.596{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50237-false23.39.37.13a23-39-37-13.deploy.static.akamaitechnologies.com443https 354300x8000000000000000343977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.596{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55556- 354300x8000000000000000343976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.596{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63768- 354300x8000000000000000343975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.594{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61994- 10341000x8000000000000000343974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.391{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000343973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.594{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50234-false23.53.112.201a23-53-112-201.deploy.static.akamaitechnologies.com443https 354300x8000000000000000343972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.591{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60583- 354300x8000000000000000343971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.589{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54649- 354300x8000000000000000343970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.588{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50236-false104.18.24.121-443https 354300x8000000000000000343969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.587{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50235-false99.86.224.69server-99-86-224-69.iad79.r.cloudfront.net443https 354300x8000000000000000343968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.586{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64019- 354300x8000000000000000343967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.586{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50233-false34.98.64.218218.64.98.34.bc.googleusercontent.com443https 354300x8000000000000000343966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.577{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56004- 354300x8000000000000000343965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.577{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61356- 354300x8000000000000000343964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.577{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56425- 354300x8000000000000000343963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.575{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61118- 354300x8000000000000000343962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.574{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58228- 354300x8000000000000000343961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.573{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58389- 354300x8000000000000000343960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.573{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58098- 354300x8000000000000000343959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.571{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59081- 734700x8000000000000000343958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.360{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000343957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.357{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000343956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.330{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000343955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.326{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000343954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.324{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000343953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.319{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000343952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.315{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000343951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.314{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000343950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.313{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000343949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.312{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000343948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.286{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000343947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.285{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000343946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.285{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000343945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.283{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000343944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.283{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000343943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.281{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000343942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.281{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000343941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.280{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000343940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.280{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000343939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.279{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000343938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.279{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000343937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.279{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000343936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.279{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000343935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.278{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000343934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.277{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000343933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.276{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000343932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.276{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000343931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.275{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000343930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.275{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000343929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.275{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000343928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.275{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000343927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.274{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000343926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.274{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000343925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.273{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000343924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.273{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000343923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.272{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000343922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.272{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000343921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.271{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000343920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.269{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.252{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000343918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.251{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000343917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.251{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000343916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.250{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000343915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.250{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000343914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.248{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000343913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.240{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.239{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.239{6820D070-4DFA-6323-2A01-000000007502}8240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000343910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.186{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000343909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.185{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000343908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.178{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.177{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.174{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.174{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.174{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.173{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.171{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000343901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.169{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000343900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.168{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000343899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.164{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000343898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.163{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000343897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.161{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 10341000x8000000000000000343896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.161{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.161{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.159{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000343893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.159{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000343892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.155{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000343891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.155{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000343890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.150{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 18141800x8000000000000000343889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.150{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-35C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.150{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-35C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.150{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000343886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.149{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000343885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.147{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000343884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.145{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000343883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.132{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000343882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.131{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000343881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.118{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000343880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.117{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.114{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.114{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.112{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.109{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.089{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.16229177289342416004C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.089{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.16229177289342416004C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.081{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.080{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000343871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.079{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000343870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.079{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000343869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.078{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000343868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.077{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000343867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.075{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7f91c|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.074{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 18141800x8000000000000000343865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.074{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.39.22602867C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.071{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.069{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000343862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.068{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000343861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.067{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000343860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.066{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000343859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.063{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000343858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.063{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000343857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.054{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000343856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.049{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000343855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.049{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000343854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.043{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000343853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.042{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.042{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.042{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000343850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.042{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x8000000000000000343849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.041{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.041{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.040{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000343846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.040{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000343845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.040{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 10341000x8000000000000000343844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.038{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.037{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.036{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000343841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.035{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000343840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.034{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000343839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.034{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 10341000x8000000000000000343838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.032{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.031{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.031{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 10341000x8000000000000000343835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.031{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.030{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.028{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x8000000000000000343832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:26.024{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-34C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:26.024{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-34C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.023{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000343829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.023{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000343828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.022{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000343827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.022{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000343826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.022{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x8000000000000000343825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.018{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.018{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.017{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000343822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.017{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000343821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.017{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000343820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.017{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000343819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.016{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000343818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.015{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000343817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.015{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000343816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.014{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000343815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.014{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000343814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.013{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000343813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.013{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000343812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.013{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000343811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.013{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000343810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.012{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000343809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.012{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000343808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.011{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000343807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.011{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000343806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.011{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000343805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.010{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000343804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.010{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000343803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.010{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000343802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.009{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000343801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.007{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000343800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.007{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000343799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.006{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000343798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.006{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x8000000000000000343797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.005{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.005{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.005{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000343794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.005{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000343793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.004{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000343792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.002{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000343791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.002{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.001{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 10341000x8000000000000000343789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.001{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.000{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000343787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.000{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000343786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.999{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000343785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.998{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000343784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.998{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000343783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.997{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000343782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.997{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000343781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.996{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000343780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.995{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000343779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.995{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000343778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.992{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 18141800x8000000000000000343777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.992{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-33C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.992{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-33C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.991{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000343774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.990{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000343773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.990{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000343772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.989{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 10341000x8000000000000000343771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.989{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.989{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.988{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-32C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.988{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-32C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.988{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000343766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.987{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x8000000000000000343765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.987{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.987{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000343763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.986{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000343762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.986{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000343761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.985{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000343760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.983{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000343759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.981{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.981{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.981{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000343756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.981{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000343755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.979{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000343754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.979{6820D070-4DF7-6323-1801-000000007502}6996C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000343753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.974{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000343752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.971{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000343751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.969{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000343750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.968{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000343749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.967{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000343748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.967{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000343747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.966{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000343746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.966{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 10341000x8000000000000000343745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.966{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.966{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000343743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.966{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000343742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.965{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000343741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.965{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000343740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.964{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000343739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.964{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 18141800x8000000000000000343738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.964{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-31C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.964{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-31C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.963{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000343735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.961{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000343734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.960{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000343733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.960{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000343732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.960{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.960{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000343730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.960{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.958{6820D070-4B7C-6323-8800-000000007502}628648C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.957{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.957{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.39.226028675\1566391436" -childID 36 -isForBrowser -prefsHandle 5364 -prefMapHandle 5660 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 9504 2612f1dd548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000343726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.956{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.956{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.956{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.955{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000343722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.953{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000343721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.953{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000343720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.952{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000343719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.951{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.951{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.951{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000343716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.950{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000343715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.950{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000343714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.949{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000343713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.948{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 18141800x8000000000000000343712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.947{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-30C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.947{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-30C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.947{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 18141800x8000000000000000343709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.944{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.2212280570039947566C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.944{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.2212280570039947566C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.942{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000343706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.939{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000343705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.939{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.939{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.935{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 10341000x8000000000000000343702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.934{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.934{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.38.94187970C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.933{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.933{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000343698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.933{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x8000000000000000343697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.930{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.930{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.929{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.929{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.929{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.927{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 10341000x8000000000000000343691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.926{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.924{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.922{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000343688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.921{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 18141800x8000000000000000343687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.921{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.4533594366236484243C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.921{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.4533594366236484243C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.921{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 10341000x8000000000000000343684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.921{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.920{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000343682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.919{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000343681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.918{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000343680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.918{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 10341000x8000000000000000343679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.918{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.917{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.915{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.914{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.37.68911627C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.913{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.913{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.913{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.913{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.912{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.912{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.911{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.911{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.907{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000343666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.906{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000343665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.906{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000343664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.905{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.905{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 18141800x8000000000000000343662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.903{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-29C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.903{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-29C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.902{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000343659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.901{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.900{6820D070-4DF9-6323-1F01-000000007502}70285960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.900{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000343656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.899{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 10341000x8000000000000000343655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.898{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.897{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000343653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.897{6820D070-4DF9-6323-1F01-000000007502}7028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000343652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.896{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.896{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000343650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.896{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000343649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.895{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000343648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.895{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000343647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.895{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000343646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.894{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000343645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.892{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000343644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.892{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000343643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.891{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000343642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.890{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000343641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.889{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000343640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.888{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000343639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.888{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000343638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.888{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000343637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.887{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000343636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.884{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000343635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.883{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000343634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.881{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 18141800x8000000000000000343633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.879{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.12682766706633186831C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.879{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.12682766706633186831C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.879{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000343630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.878{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000343629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.878{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000343628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.876{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000343627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.875{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000343626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.874{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 10341000x8000000000000000343625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.872{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.872{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000343623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.872{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.871{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.871{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.869{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000343619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.867{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.867{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.867{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.867{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.866{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.866{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.866{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.866{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.866{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000343610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.863{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 17141700x8000000000000000343609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.862{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.39.22602867C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.858{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000343607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.857{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 354300x8000000000000000343606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.274{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61785- 354300x8000000000000000343605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.242{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54831- 354300x8000000000000000343604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.241{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61137- 734700x8000000000000000343603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.857{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 354300x8000000000000000343602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.240{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54859- 734700x8000000000000000343601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.856{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000343600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.856{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x8000000000000000343599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.855{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-28C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.855{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-28C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000343597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.850{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.2400776177251426825C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.850{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.2400776177251426825C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.847{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000343594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.846{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000343593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.845{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000343592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.843{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.843{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.842{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.835{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000343588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.834{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000343587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.834{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000343586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.834{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000343585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.834{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000343584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.833{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000343583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.833{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000343582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.833{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000343581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.833{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000343580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.832{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000343579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.832{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000343578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.832{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000343577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.832{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000343576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.831{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000343575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.830{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000343574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.828{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000343573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.826{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000343572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.825{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000343571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.825{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000343570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.825{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000343569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.823{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000343568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.823{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.823{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000343566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.823{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000343565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.822{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000343564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.821{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 10341000x8000000000000000343563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.821{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.820{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 18141800x8000000000000000343561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.820{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.33.105993728C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.818{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000343559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.817{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000343558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.817{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 18141800x8000000000000000343557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.817{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.3334851256529821816C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.817{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.3334851256529821816C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.817{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000343554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.817{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000343553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.816{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000343552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.816{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000343551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.816{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000343550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.815{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000343549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.815{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000343548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.815{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.815{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.814{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.35.183867062C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.814{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.814{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000343543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.813{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000343542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.810{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000343541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.809{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000343540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.808{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000343539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.807{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000343538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.806{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000343537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.805{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000343536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.805{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000343535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.804{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000343534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.804{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000343533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.802{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 10341000x8000000000000000343532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.800{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.801{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000343530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.801{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x8000000000000000343529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.800{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.799{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000343527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.799{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000343526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.798{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000343525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.797{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000343524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.797{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000343523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.796{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000343522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.796{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x8000000000000000343521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.795{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.32.23495975C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.795{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000343519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.795{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.795{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.794{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000343516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.794{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000343515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.794{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000343514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.793{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.793{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 18141800x8000000000000000343512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.793{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.793{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000343510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.793{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000343509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.791{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000343508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.789{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000343507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.789{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 18141800x8000000000000000343506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.787{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.15741628267890577205C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.787{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.15741628267890577205C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.787{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 10341000x8000000000000000343503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.787{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.786{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.786{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000343500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.786{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x8000000000000000343499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.785{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.785{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.785{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.36.134760747C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.785{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 10341000x8000000000000000343495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.785{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.784{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000343493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.784{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x8000000000000000343492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.783{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000343491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.783{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.783{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000343489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.782{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000343488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.782{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.38.941879703\917346091" -childID 35 -isForBrowser -prefsHandle 5588 -prefMapHandle 5740 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 9272 26122d5bc48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x8000000000000000343487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.782{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000343486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.781{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000343485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.781{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 10341000x8000000000000000343484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.780{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.780{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.780{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.780{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.780{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.780{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.779{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.779{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.779{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 10341000x8000000000000000343475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.779{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.779{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.779{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.779{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.3428666038158648819C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.778{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.3428666038158648819C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.778{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.778{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.778{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.778{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.778{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.777{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.777{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.777{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.777{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.777{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000343460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.777{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.777{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.776{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.776{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.776{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 18141800x8000000000000000343455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.776{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.34.99240149C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.776{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.776{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.776{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000343451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.776{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.775{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000343449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.775{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000343448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.775{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.774{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000343446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.774{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000343445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.774{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 17141700x8000000000000000343444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.772{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.38.94187970C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.772{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000343442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.771{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000343441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.770{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000343440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.770{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000343439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.770{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000343438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.770{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000343437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.768{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000343436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.768{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000343435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.768{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000343434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.768{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000343433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.764{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000343432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.763{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000343431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.763{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000343430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.762{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000343429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.762{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000343428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.761{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000343427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.760{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000343426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.760{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000343425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.758{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.758{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.758{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.757{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.757{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.757{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000343419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.756{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x8000000000000000343418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.756{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.756{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000343416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.756{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x8000000000000000343415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.756{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.754{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000343413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.750{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000343412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.749{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000343411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.749{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000343410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.748{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000343409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.748{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000343408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.746{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 18141800x8000000000000000343407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.746{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.745{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 734700x8000000000000000343405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.744{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000343404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.740{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.743{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000343402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.741{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 10341000x8000000000000000343401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.740{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.739{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.739{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.737{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000343397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.737{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000343396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.737{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000343395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.736{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000343394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.736{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000343393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.736{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000343392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.735{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.735{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.735{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 10341000x8000000000000000343389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.735{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.735{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 10341000x8000000000000000343387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.734{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.733{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000343385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.732{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000343384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.731{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 18141800x8000000000000000343383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.731{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-27C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.731{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-27C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.730{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000343380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.730{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000343379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.729{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000343378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.729{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000343377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.729{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000343376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.728{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000343375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.728{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000343374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.728{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000343373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.728{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000343372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.728{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000343371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.726{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000343370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.725{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000343369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.725{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000343368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.724{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000343367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.724{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000343366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.723{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000343365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.723{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000343364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.722{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.722{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.722{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000343361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.720{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000343360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.720{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000343359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.719{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000343358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.719{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000343357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.718{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000343356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.717{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000343355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.717{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000343354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.716{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000343353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.716{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.716{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 10341000x8000000000000000343351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.716{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.716{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000343349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.715{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000343348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.715{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000343347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.715{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000343346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.715{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000343345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.714{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000343344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.713{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 734700x8000000000000000343343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.713{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000343342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.713{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000343341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.712{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000343340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.712{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000343339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.711{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000343338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.711{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 10341000x8000000000000000343337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.708{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.710{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000343335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.710{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000343334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.710{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000343333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.710{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000343332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.710{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000343331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.709{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000343330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.709{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000343329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.709{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000343328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.709{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000343327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.708{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000343326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.708{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000343325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.708{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000343324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.708{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000343323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.708{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000343322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.708{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000343321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.707{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000343320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.707{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000343319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.707{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000343318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.706{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000343317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.706{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 10341000x8000000000000000343316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.705{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.705{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x8000000000000000343314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.704{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.704{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000343312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.704{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 10341000x8000000000000000343311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.703{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.702{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000343309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.702{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.702{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.702{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.701{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000343305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.701{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-26C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.701{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-26C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000343303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.701{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.701{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000343301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.700{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000343300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.700{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000343299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.700{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000343298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.700{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 10341000x8000000000000000343297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.699{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000343296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.699{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000343295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.698{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0885|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.698{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 154100x8000000000000000343293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.698{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.37.689116274\1853029452" -childID 34 -isForBrowser -prefsHandle 6860 -prefMapHandle 6880 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 5204 2612e5d2348 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 22542200x8000000000000000343292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.067{6820D070-4D64-6323-ED00-000000007502}6140iad-2-sync.go.sonobi.com069.166.1.12;69.166.1.10;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.066{6820D070-4D64-6323-ED00-000000007502}6140sync.go.sonobi.com0type: 5 iad-2-sync.go.sonobi.com;::ffff:69.166.1.10;::ffff:69.166.1.12;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.065{6820D070-4D64-6323-ED00-000000007502}6140sync.go.sonobi.com0type: 5 iad-2-sync.go.sonobi.com;::ffff:69.166.1.12;::ffff:69.166.1.10;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.001{6820D070-4D64-6323-ED00-000000007502}6140creativecdn.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.982{6820D070-4D64-6323-ED00-000000007502}6140ads.stickyadstv.com0type: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 ip2.ads.stickyadstv.com.akadns.net;type: 5 fp6.ads.stickyadstv.com.akadns.net;::ffff:38.98.139.151;::ffff:38.98.139.150;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.979{6820D070-4D64-6323-ED00-000000007502}6140ssum.casalemedia.com.cdn.cloudflare.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.977{6820D070-4D64-6323-ED00-000000007502}6140creativecdn.com0185.184.8.90;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.967{6820D070-4D64-6323-ED00-000000007502}6140ads.stickyadstv.com0type: 5 ip1.ads.stickyadstv.com.akadns.net;type: 5 ip2.ads.stickyadstv.com.akadns.net;type: 5 fp6.ads.stickyadstv.com.akadns.net;::ffff:38.98.139.150;::ffff:38.98.139.151;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.966{6820D070-4D64-6323-ED00-000000007502}6140creativecdn.com0::ffff:185.184.8.90;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.965{6820D070-4D64-6323-ED00-000000007502}6140ssum.casalemedia.com.cdn.cloudflare.net0104.18.19.126;104.18.18.126;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.862{6820D070-4D64-6323-ED00-000000007502}6140production-loadbalancer-1975618156.eu-central-1.elb.amazonaws.com03.127.18.59;3.74.206.104;18.197.160.71;18.194.202.243;18.198.12.238;52.28.123.190;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.860{6820D070-4D64-6323-ED00-000000007502}6140a-prebid.vidoomy.com0type: 5 production-loadbalancer-1975618156.eu-central-1.elb.amazonaws.com;::ffff:52.28.123.190;::ffff:3.127.18.59;::ffff:3.74.206.104;::ffff:18.197.160.71;::ffff:18.194.202.243;::ffff:18.198.12.238;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.849{6820D070-4D64-6323-ED00-000000007502}6140a-prebid.vidoomy.com0type: 5 production-loadbalancer-1975618156.eu-central-1.elb.amazonaws.com;::ffff:18.198.12.238;::ffff:52.28.123.190;::ffff:3.127.18.59;::ffff:3.74.206.104;::ffff:18.197.160.71;::ffff:18.194.202.243;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.778{6820D070-4D64-6323-ED00-000000007502}6140static.smilewanted.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.765{6820D070-4D64-6323-ED00-000000007502}6140static.smilewanted.com0104.18.25.121;104.18.24.121;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.764{6820D070-4D64-6323-ED00-000000007502}6140static.smilewanted.com0::ffff:104.18.24.121;::ffff:104.18.25.121;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.760{6820D070-4D64-6323-ED00-000000007502}6140static.smilewanted.com0::ffff:104.18.25.121;::ffff:104.18.24.121;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.723{6820D070-4D64-6323-ED00-000000007502}6140rtb.gumgum.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.718{6820D070-4D64-6323-ED00-000000007502}6140rtb.gumgum.com054.205.218.67;18.209.188.131;34.236.30.55;54.205.202.197;3.226.20.33;52.207.167.189;54.236.105.82;54.144.187.195;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.715{6820D070-4D64-6323-ED00-000000007502}6140rtb.gumgum.com0::ffff:54.144.187.195;::ffff:54.205.218.67;::ffff:18.209.188.131;::ffff:34.236.30.55;::ffff:54.205.202.197;::ffff:3.226.20.33;::ffff:52.207.167.189;::ffff:54.236.105.82;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.713{6820D070-4D64-6323-ED00-000000007502}6140rtb.gumgum.com0::ffff:54.236.105.82;::ffff:54.144.187.195;::ffff:54.205.218.67;::ffff:18.209.188.131;::ffff:34.236.30.55;::ffff:54.205.202.197;::ffff:3.226.20.33;::ffff:52.207.167.189;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.699{6820D070-4D64-6323-ED00-000000007502}6140pixel.33across.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.682{6820D070-4D64-6323-ED00-000000007502}6140pixel.33across.com067.202.105.21;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.678{6820D070-4D64-6323-ED00-000000007502}6140e6791.b.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.677{6820D070-4D64-6323-ED00-000000007502}6140prod.ups-ats.us-east-1.aolp-ds-prd.aws.oath.cloud9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.675{6820D070-4D64-6323-ED00-000000007502}6140e6791.b.akamaiedge.net023.39.61.5;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.674{6820D070-4D64-6323-ED00-000000007502}6140prod.ups-ats.us-east-1.aolp-ds-prd.aws.oath.cloud054.175.87.114;3.218.90.66;52.45.33.138;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.671{6820D070-4D64-6323-ED00-000000007502}6140ssc-cms.33across.com0type: 5 pixel.33across.com;::ffff:67.202.105.21;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.660{6820D070-4D64-6323-ED00-000000007502}6140p.rfihub.com0type: 5 a.rfihub.com;type: 5 a.rfihub.com.akadns.net;type: 5 a-us-east.rfihub.com.akadns.net;::ffff:199.38.167.129;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.646{6820D070-4D64-6323-ED00-000000007502}6140contextual.media.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.637{6820D070-4D64-6323-ED00-000000007502}6140contextual.media.net023.39.60.27;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.632{6820D070-4D64-6323-ED00-000000007502}6140contextual.media.net0::ffff:23.39.60.27;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.627{6820D070-4D64-6323-ED00-000000007502}6140public.servenobid.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.625{6820D070-4D64-6323-ED00-000000007502}6140public.servenobid.com013.33.165.104;13.33.165.79;13.33.165.6;13.33.165.27;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.624{6820D070-4D64-6323-ED00-000000007502}6140public.servenobid.com0::ffff:13.33.165.27;::ffff:13.33.165.104;::ffff:13.33.165.79;::ffff:13.33.165.6;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.624{6820D070-4D64-6323-ED00-000000007502}6140cdn.connectad.io02606:4700:10::6816:37ce;2606:4700:10::ac43:8ae;2606:4700:10::6816:36ce;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.623{6820D070-4D64-6323-ED00-000000007502}6140public.servenobid.com0::ffff:13.33.165.6;::ffff:13.33.165.27;::ffff:13.33.165.104;::ffff:13.33.165.79;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.622{6820D070-4D64-6323-ED00-000000007502}6140cdn.connectad.io0172.67.8.174;104.22.55.206;104.22.54.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.621{6820D070-4D64-6323-ED00-000000007502}6140cdn.connectad.io0::ffff:104.22.54.206;::ffff:172.67.8.174;::ffff:104.22.55.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.612{6820D070-4D64-6323-ED00-000000007502}6140cdn.connectad.io0::ffff:104.22.55.206;::ffff:104.22.54.206;::ffff:172.67.8.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.607{6820D070-4D64-6323-ED00-000000007502}6140us-east-eb2.3lift.com035.71.139.29;52.223.22.214;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.606{6820D070-4D64-6323-ED00-000000007502}6140e8960.b.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.603{6820D070-4D64-6323-ED00-000000007502}6140prod.appnexus.map.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.602{6820D070-4D64-6323-ED00-000000007502}6140e8037.g.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.601{6820D070-4D64-6323-ED00-000000007502}6140e8960.b.akamaiedge.net0104.98.89.221;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.599{6820D070-4D64-6323-ED00-000000007502}6140prod.appnexus.map.fastly.net0146.75.33.108;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.599{6820D070-4D64-6323-ED00-000000007502}6140e8037.g.akamaiedge.net023.39.37.13;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.599{6820D070-4D64-6323-ED00-000000007502}6140csync.smilewanted.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.592{6820D070-4D64-6323-ED00-000000007502}6140csync.smilewanted.com0104.18.24.121;104.18.25.121;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.590{6820D070-4D64-6323-ED00-000000007502}6140sync.serverbid.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.589{6820D070-4D64-6323-ED00-000000007502}6140csync.smilewanted.com0::ffff:104.18.25.121;::ffff:104.18.24.121;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.588{6820D070-4D64-6323-ED00-000000007502}6140e6603.g.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.585{6820D070-4D64-6323-ED00-000000007502}6140js-sec.indexww.com0type: 5 js-sec.casalemedia.com.edgekey.net;type: 5 e8037.g.akamaiedge.net;::ffff:23.39.37.13;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.584{6820D070-4D64-6323-ED00-000000007502}6140sync.serverbid.com099.86.224.24;99.86.224.101;99.86.224.69;99.86.224.25;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.583{6820D070-4D64-6323-ED00-000000007502}6140sync.serverbid.com0::ffff:99.86.224.25;::ffff:99.86.224.24;::ffff:99.86.224.101;::ffff:99.86.224.69;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.583{6820D070-4D64-6323-ED00-000000007502}6140e6603.g.akamaiedge.net023.53.112.201;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.582{6820D070-4D64-6323-ED00-000000007502}6140csync.smilewanted.com0::ffff:104.18.24.121;::ffff:104.18.25.121;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.582{6820D070-4D64-6323-ED00-000000007502}6140sync.serverbid.com0::ffff:99.86.224.69;::ffff:99.86.224.25;::ffff:99.86.224.24;::ffff:99.86.224.101;C:\Program Files\Mozilla Firefox\firefox.exe 354300x8000000000000000343234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.112{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local61278-false142.250.190.38ord37s33-in-f6.1e100.net443https 354300x8000000000000000343233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.061{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50232-false142.250.190.38ord37s33-in-f6.1e100.net443https 354300x8000000000000000343232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.040{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50231-false142.250.190.38ord37s33-in-f6.1e100.net443https 354300x8000000000000000343231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.013{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50230-false23.64.245.189a23-64-245-189.deploy.static.akamaitechnologies.com443https 354300x8000000000000000343230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.007{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50229-false142.250.190.38ord37s33-in-f6.1e100.net443https 354300x8000000000000000343229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.994{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61277- 354300x8000000000000000343228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.993{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54313- 354300x8000000000000000343227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.991{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55684- 354300x8000000000000000343226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.986{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64575- 22542200x8000000000000000343225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.014{6820D070-4D64-6323-ED00-000000007502}6140e7876.dscg.akamaiedge.net02600:1405:9000:1a4::1ec4;2600:1405:9000:18e::1ec4;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:24.000{6820D070-4D64-6323-ED00-000000007502}6140e7876.dscg.akamaiedge.net023.64.245.189;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000343223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:23.995{6820D070-4D64-6323-ED00-000000007502}6140secure.insightexpressai.com0type: 5 global-wildcard.insightexpressai.com.edgekey.net;type: 5 e7876.dscg.akamaiedge.net;::ffff:23.64.245.189;C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.698{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000343221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.698{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000343220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.698{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000343219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.697{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000343218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.697{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000343217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.697{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.697{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000343215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.697{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 10341000x8000000000000000343214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.696{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.696{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 18141800x8000000000000000343212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:25.696{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-25C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000343211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:25.696{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-25C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000343210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.696{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 10341000x8000000000000000343209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.696{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.696{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000343207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.696{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000343206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.696{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000343205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.695{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.695{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000343203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.695{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 10341000x8000000000000000343202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.695{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000343201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.695{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000189938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:24.467{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49851-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000189937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:26.203{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F82BFEB1081766D5D1F55E56E5F821,SHA256=D5BAABD8BE9044766DC0F6B8D44DC7C585CAFB7C697F668C38ED39E20B61D33C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000345556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.988{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.988{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.988{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.987{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.987{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.987{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.954{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.954{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.954{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.954{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.954{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.953{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.902{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.902{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.902{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.884{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.884{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.884{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 354300x8000000000000000345538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.026{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63477-false199.187.193.182-443https 354300x8000000000000000345537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.007{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63476-false142.250.190.106ord37s35-in-f10.1e100.net443https 354300x8000000000000000345536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.986{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63462-false124.146.215.48-443https 354300x8000000000000000345535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.985{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63473-false104.36.115.114-443https 354300x8000000000000000345534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.981{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63474-false34.236.17.73ec2-34-236-17-73.compute-1.amazonaws.com443https 354300x8000000000000000345533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.974{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63472-false50.31.142.127chi.outbrain.com443https 354300x8000000000000000345532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.946{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54202- 354300x8000000000000000345531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.937{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60488- 354300x8000000000000000345530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.933{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56411- 354300x8000000000000000345529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.922{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58227- 354300x8000000000000000345528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.887{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63471-false104.36.115.114-443https 354300x8000000000000000345527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.880{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63469-false54.87.127.173ec2-54-87-127-173.compute-1.amazonaws.com443https 354300x8000000000000000345526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.878{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63470-false104.18.19.126-443https 354300x8000000000000000345525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.871{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55717- 354300x8000000000000000345524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.870{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63467-false38.91.45.7-443https 354300x8000000000000000345523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.870{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63468-false150.136.156.92-443https 354300x8000000000000000345522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.869{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63466-false34.195.158.163ec2-34-195-158-163.compute-1.amazonaws.com443https 354300x8000000000000000345521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.867{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62835- 354300x8000000000000000345520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.866{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63459-false37.157.2.234-443https 354300x8000000000000000345519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.861{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63465-false34.98.64.218218.64.98.34.bc.googleusercontent.com443https 354300x8000000000000000345518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.855{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63463-false23.202.201.246a23-202-201-246.deploy.static.akamaitechnologies.com443https 354300x8000000000000000345517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.853{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62823- 354300x8000000000000000345516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.852{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63535- 354300x8000000000000000345515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.848{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63464-false146.75.34.49-443https 354300x8000000000000000345514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.835{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59614- 354300x8000000000000000345513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.834{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58512- 354300x8000000000000000345512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.824{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63917- 354300x8000000000000000345511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.808{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54380- 354300x8000000000000000345510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.799{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63460-false69.175.41.15sovrn-193627-chi03-placeholder443https 354300x8000000000000000345509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.799{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63461-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000345508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.799{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63461-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000345507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.798{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54282- 354300x8000000000000000345506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.797{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54345- 734700x8000000000000000345505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.830{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000345504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.821{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000345503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.790{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.789{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.785{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000345500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.782{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000345499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.779{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000345498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.778{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000345497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.777{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.777{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.776{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000345494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.774{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000345493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.772{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000345492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.771{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000345491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.770{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000345490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.769{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000345489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.767{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x8000000000000000345488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.763{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-45C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.763{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-45C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.759{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000345485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.758{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000345484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.758{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000345483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.735{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.733{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.14676982496085553478C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.733{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.14676982496085553478C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.732{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000345479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.731{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000345478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.730{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000345477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.729{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.728{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.49.121500808C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.724{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000345474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.723{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000345473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.723{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 10341000x8000000000000000345472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.717{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.717{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.704{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000345469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.699{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000345468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.699{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000345467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.696{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000345466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.690{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000345465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.689{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000345464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.689{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000345463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.686{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000345462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.685{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000345461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.684{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000345460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.684{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000345459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.682{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000345458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.682{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000345457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.681{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000345456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.679{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000345455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.679{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.679{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.678{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000345452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.678{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000345451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.677{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000345450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.676{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000345449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.676{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.676{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.676{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000345446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.674{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000345445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.670{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000345444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.670{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000345443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.665{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000345442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.663{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000345441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.663{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000345440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.662{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000345439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.662{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000345438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.661{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000345437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.660{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000345436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.657{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000345435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.656{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000345434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.655{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000345433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.654{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000345432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.653{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000345431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.652{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000345430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.651{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000345429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.649{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000345428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.648{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000345427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.648{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000345426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.646{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000345425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.642{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000345424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.641{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000345423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.640{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 10341000x8000000000000000345422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.640{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.640{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 10341000x8000000000000000345420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.639{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.638{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.637{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.637{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000345416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.637{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000345415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.636{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000345414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.636{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000345413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.636{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000345412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.635{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000345411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.634{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000345410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.634{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000345409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.634{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000345408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.633{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000345407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.633{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000345406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.633{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000345405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.633{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000345404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.633{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000345403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.633{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000345402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.632{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000345401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.632{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.631{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 734700x8000000000000000345399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.631{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000345398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.631{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000345397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.630{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000345396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.630{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000345395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.628{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.626{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000345393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.625{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.625{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 154100x8000000000000000345391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.624{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.49.1215008086\1294474730" -childID 46 -isForBrowser -prefsHandle 11376 -prefMapHandle 11372 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 11052 2612aac6248 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x8000000000000000345390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.625{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000345389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.625{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000345388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.624{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000345387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.623{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.619{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000345385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.619{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000345384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.619{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000345383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.619{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000345382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.619{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.619{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.619{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.619{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.619{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.619{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.618{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 10341000x8000000000000000345375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.618{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.618{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.618{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.618{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.618{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.618{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.617{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.617{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.617{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.617{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.617{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.617{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000345363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.617{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.616{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.616{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.616{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.616{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.615{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.615{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000345356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.615{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.615{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000345354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.615{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000345353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.615{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.615{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.614{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.610{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.608{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.607{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 10341000x8000000000000000345347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.605{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.605{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.604{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.598{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000345343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.595{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000345342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.592{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 17141700x8000000000000000345341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.591{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.49.121500808C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.590{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000345339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.589{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000345338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.585{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000345337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.584{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.583{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000345335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.796{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60164- 354300x8000000000000000345334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.796{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59769- 354300x8000000000000000345333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.795{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55722- 354300x8000000000000000345332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.795{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61173- 354300x8000000000000000345331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.794{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54878- 354300x8000000000000000345330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.792{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55908- 354300x8000000000000000345329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.791{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63783- 354300x8000000000000000345328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.790{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63452- 354300x8000000000000000345327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.789{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55440- 354300x8000000000000000345326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.788{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62423- 354300x8000000000000000345325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.787{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63973- 354300x8000000000000000345324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.786{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54794- 354300x8000000000000000345323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.785{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58937- 354300x8000000000000000345322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.785{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61012- 354300x8000000000000000345321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.782{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60176- 354300x8000000000000000345320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.781{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63891- 354300x8000000000000000345319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.780{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56686- 354300x8000000000000000345318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.779{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64538- 354300x8000000000000000345317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.777{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53589- 354300x8000000000000000345316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.776{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60630- 354300x8000000000000000345315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.776{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63038- 354300x8000000000000000345314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.773{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57967- 354300x8000000000000000345313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.773{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54935- 354300x8000000000000000345312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.772{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53446- 354300x8000000000000000345311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.771{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62781- 354300x8000000000000000345310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.771{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64464- 354300x8000000000000000345309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.771{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55727- 354300x8000000000000000345308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.771{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56731- 354300x8000000000000000345307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.771{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53445- 354300x8000000000000000345306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.768{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64403- 354300x8000000000000000345305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.767{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63718- 354300x8000000000000000345304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.767{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63042- 354300x8000000000000000345303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.767{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59285- 354300x8000000000000000345302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.767{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53444- 354300x8000000000000000345301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.767{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53443- 354300x8000000000000000345300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.766{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63508- 354300x8000000000000000345299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.761{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57931- 354300x8000000000000000345298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.761{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60850- 354300x8000000000000000345297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.749{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53642- 354300x8000000000000000345296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.748{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55057- 354300x8000000000000000345295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.748{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56150- 354300x8000000000000000345294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.739{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62766- 354300x8000000000000000345293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.737{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56854- 354300x8000000000000000345292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.729{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62927- 354300x8000000000000000345291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.729{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57283- 354300x8000000000000000345290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.720{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63458-false44.209.207.157ec2-44-209-207-157.compute-1.amazonaws.com443https 354300x8000000000000000345289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.708{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local64614-false64.74.236.127chi.outbrain.com443https 354300x8000000000000000345288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.697{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local64613-false3.228.99.19ec2-3-228-99-19.compute-1.amazonaws.com443https 354300x8000000000000000345287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.689{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63457-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domain 354300x8000000000000000345286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.689{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63457-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domain 354300x8000000000000000345285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.689{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61446- 354300x8000000000000000345284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.688{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60456- 354300x8000000000000000345283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.678{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62382- 354300x8000000000000000345282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.673{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53891- 354300x8000000000000000345281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.669{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58569- 354300x8000000000000000345280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.668{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62310- 354300x8000000000000000345279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.668{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59689- 354300x8000000000000000345278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.668{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60943- 354300x8000000000000000345277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.667{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60737- 354300x8000000000000000345276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.666{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56205- 354300x8000000000000000345275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.666{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54993- 354300x8000000000000000345274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.663{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57160- 354300x8000000000000000345273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.662{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64612-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domain 354300x8000000000000000345272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.662{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64612-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domain 354300x8000000000000000345271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.661{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54734- 354300x8000000000000000345270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.660{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56206- 354300x8000000000000000345269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.659{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56381- 354300x8000000000000000345268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.658{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64031- 354300x8000000000000000345267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.656{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50295-false146.75.34.49-443https 354300x8000000000000000345266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.591{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50294-false216.200.232.253-443https 354300x8000000000000000345265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.582{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61421- 354300x8000000000000000345264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.577{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59628- 354300x8000000000000000345263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.575{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50293-false3.229.251.39ec2-3-229-251-39.compute-1.amazonaws.com443https 354300x8000000000000000345262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.570{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55716- 354300x8000000000000000345261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.567{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local57717-false172.67.8.174-443https 354300x8000000000000000345260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.566{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60718- 354300x8000000000000000345259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.566{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63350- 354300x8000000000000000345258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.554{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50292-false23.202.201.246a23-202-201-246.deploy.static.akamaitechnologies.com443https 354300x8000000000000000345257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.547{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56890- 354300x8000000000000000345256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.538{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50289-false199.187.193.182-443https 354300x8000000000000000345255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.534{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59941- 354300x8000000000000000345254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.531{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50291-false35.168.53.23ec2-35-168-53-23.compute-1.amazonaws.com443https 10341000x8000000000000000345253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.583{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.582{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e76f08|C:\Program Files\Mozilla Firefox\xul.dll+e65430|C:\Program Files\Mozilla Firefox\xul.dll+42b8d36|C:\Program Files\Mozilla Firefox\xul.dll+2412b58|C:\Program Files\Mozilla Firefox\xul.dll+9b8b70|C:\Program Files\Mozilla Firefox\xul.dll+9707a1|C:\Program Files\Mozilla Firefox\xul.dll+1810d8|C:\Program Files\Mozilla Firefox\xul.dll+9bc4e5|C:\Program Files\Mozilla Firefox\xul.dll+97c5dc|C:\Program Files\Mozilla Firefox\xul.dll+97f821|C:\Program Files\Mozilla Firefox\xul.dll+97e4db|C:\Program Files\Mozilla Firefox\xul.dll+97d705|C:\Program Files\Mozilla Firefox\xul.dll+988af0|C:\Program Files\Mozilla Firefox\xul.dll+8b5b12|C:\Program Files\Mozilla Firefox\xul.dll+83635f|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f 10341000x8000000000000000345251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.576{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.570{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000345249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.568{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000345248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.568{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000345247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.566{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000345246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.566{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000345245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.561{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000345244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.560{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 10341000x8000000000000000345243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.559{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.559{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.556{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000345240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.552{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000345239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.551{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000345238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.551{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000345237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.549{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 18141800x8000000000000000345236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.549{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-44C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.549{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-44C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.549{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 18141800x8000000000000000345233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.549{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-43C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.549{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-43C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.545{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 23542300x8000000000000000345230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.544{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A4D6D86E77AA487792C61F008FF44893,SHA256=B6D893CF2A24DE67A09ED372FD5297A4379466AEB97671DB886B0258437B9BE4,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000345229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.543{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000345228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.543{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000345227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.543{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000345226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.538{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000345225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.538{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000345224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.538{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 10341000x8000000000000000345223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.537{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e76f08|C:\Program Files\Mozilla Firefox\xul.dll+e65430|C:\Program Files\Mozilla Firefox\xul.dll+42b8d36|C:\Program Files\Mozilla Firefox\xul.dll+2412b58|C:\Program Files\Mozilla Firefox\xul.dll+9b8b70|C:\Program Files\Mozilla Firefox\xul.dll+9707a1|C:\Program Files\Mozilla Firefox\xul.dll+1810d8|C:\Program Files\Mozilla Firefox\xul.dll+9bc4e5|C:\Program Files\Mozilla Firefox\xul.dll+97c5dc|C:\Program Files\Mozilla Firefox\xul.dll+97f821|C:\Program Files\Mozilla Firefox\xul.dll+97e4db|C:\Program Files\Mozilla Firefox\xul.dll+97d705|C:\Program Files\Mozilla Firefox\xul.dll+988af0|C:\Program Files\Mozilla Firefox\xul.dll+8b5b12|C:\Program Files\Mozilla Firefox\xul.dll+83635f|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb 734700x8000000000000000345222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.536{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000345221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.531{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000345220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.529{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000345219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.528{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000345218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.517{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000345217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.513{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000345216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.499{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.497{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.495{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.494{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.493{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000345211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.492{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000345210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.491{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000345209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.491{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x8000000000000000345208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.490{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.13582503618634620272C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.490{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.13582503618634620272C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.489{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000345205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.488{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.488{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 18141800x8000000000000000345203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.487{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.13789294120864309288C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.487{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x8000000000000000345201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.487{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.48.43539839C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.487{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.13789294120864309288C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.486{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000345198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.486{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000345197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.484{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.484{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.47.45105032C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.479{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000345194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.478{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.478{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000345192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.478{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.478{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.477{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x8000000000000000345189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.474{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.474{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.472{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000345186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.470{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000345185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.469{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000345184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.468{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000345183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.468{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000345182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.468{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000345181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.467{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000345180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.467{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000345179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.467{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000345178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.466{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000345177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.466{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000345176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.466{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000345175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.465{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000345174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.465{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000345173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.464{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 10341000x8000000000000000345172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.463{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.463{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000345170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.463{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000345169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.462{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000345168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.462{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000345167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.460{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000345166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.460{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.460{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.460{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000345163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.460{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000345162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.459{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000345161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.457{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000345160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.456{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000345159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.456{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 18141800x8000000000000000345158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.455{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-42C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.455{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-42C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.455{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000345155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.455{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000345154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.454{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000345153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.454{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000345152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.453{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000345151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.453{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000345150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.453{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000345149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.453{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000345148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.452{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000345147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.452{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000345146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.452{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000345145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.451{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000345144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.450{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000345143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.450{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000345142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.449{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=B52ACA309FD6F72105951FFBA022327B,SHA256=02AB6CCE4BF0D3F075D5E982F5A4CBDB514CE7C245EA474D7846A86CD3F13202,IMPHASH=0E9C1FA273A5EFD763FAC8E145B20C80trueMicrosoft WindowsValid 734700x8000000000000000345141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.448{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000345140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.448{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000345139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.447{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000345138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.446{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000345137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.444{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000345136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.443{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000345135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.442{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000345134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.441{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000345133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.441{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000345132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.440{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000345131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.440{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000345130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.438{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000345129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.437{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000345128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.436{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000345127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.435{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000345126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.435{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000345125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.434{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000345124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.432{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000345123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.428{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000345122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.428{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000345121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.427{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000345120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.427{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x8000000000000000345119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.427{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.425{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x8000000000000000345117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.421{6820D070-4DFB-6323-3001-000000007502}91129116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.423{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 18141800x8000000000000000345115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.423{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.50298953819550748C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.423{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.50298953819550748C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.422{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000345112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.421{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000345111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.420{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000345110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.414{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000345109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.410{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000345108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.403{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000345107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.401{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000345106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.400{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000345105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.399{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.394{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.46.55332363C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.392{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x8000000000000000345102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.389{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.387{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000345100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.382{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.380{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.380{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000345097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.378{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000345096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.374{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000345095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.366{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e76f08|C:\Program Files\Mozilla Firefox\xul.dll+e65430|C:\Program Files\Mozilla Firefox\xul.dll+42b8d36|C:\Program Files\Mozilla Firefox\xul.dll+2412b58|C:\Program Files\Mozilla Firefox\xul.dll+9b8b70|C:\Program Files\Mozilla Firefox\xul.dll+9707a1|C:\Program Files\Mozilla Firefox\xul.dll+1810d8|C:\Program Files\Mozilla Firefox\xul.dll+9bc4e5|C:\Program Files\Mozilla Firefox\xul.dll+2349237|C:\Program Files\Mozilla Firefox\xul.dll+2349617|C:\Program Files\Mozilla Firefox\xul.dll+8ca7f6|C:\Program Files\Mozilla Firefox\xul.dll+98b446|C:\Program Files\Mozilla Firefox\xul.dll+98a56a|C:\Program Files\Mozilla Firefox\xul.dll+8b6343|C:\Program Files\Mozilla Firefox\xul.dll+8b5b65|C:\Program Files\Mozilla Firefox\xul.dll+83635f|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4 734700x8000000000000000345094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.359{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000345093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.357{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+e75602|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.356{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.356{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.356{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.356{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.356{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.354{6820D070-4B7C-6323-8800-000000007502}628648C:\Windows\system32\csrss.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000345086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.354{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000345085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.354{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.48.435398396\23121812" -childID 45 -isForBrowser -prefsHandle 11084 -prefMapHandle 10364 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 11096 2612aa9e548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x8000000000000000345084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.353{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 10341000x8000000000000000345083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.353{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.352{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.352{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.352{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 10341000x8000000000000000345079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.352{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.352{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.352{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x8000000000000000345076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.351{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.351{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.351{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.351{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 10341000x8000000000000000345072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.351{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.350{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.350{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.350{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 10341000x8000000000000000345068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.350{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.350{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.350{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x8000000000000000345065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.350{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.349{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.349{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.349{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.349{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000345060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.349{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.348{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.348{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000345057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.348{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000345056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.348{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 10341000x8000000000000000345055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.347{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.347{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.347{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.347{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.346{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.346{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.346{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000345048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.346{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x8000000000000000345047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.346{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.345{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000345045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.345{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000345044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.345{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000345043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.344{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000345042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.344{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000345041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.344{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 17141700x8000000000000000345040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.343{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.48.43539839C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.343{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000345038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.343{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000345037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.342{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000345036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.342{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000345035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.341{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000345034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.341{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.340{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.340{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.340{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.340{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000345029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.340{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000345028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.339{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000345027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.339{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000345026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.338{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 734700x8000000000000000345025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.338{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000345024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.338{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000345023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.338{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000345022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.337{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+e75602|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.336{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.336{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000345019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.336{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000345018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.335{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000345017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.334{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000345016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.334{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.47.451050320\878611609" -childID 44 -isForBrowser -prefsHandle 10912 -prefMapHandle 10904 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 10908 2612a905b48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x8000000000000000345015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.334{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000345014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.333{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 10341000x8000000000000000345013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.332{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.332{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.332{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.331{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.331{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.331{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x8000000000000000345007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.331{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.330{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.330{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x8000000000000000345004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.330{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.330{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.330{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.330{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.329{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.329{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x8000000000000000344998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.329{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.329{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.328{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.328{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.328{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.328{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.327{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.326{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.326{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 10341000x8000000000000000344989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.326{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.326{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000344987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.522{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63787- 354300x8000000000000000344986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.520{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50290-false104.18.18.126-443https 354300x8000000000000000344985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.516{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50288-false8.28.7.81-443https 354300x8000000000000000344984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.508{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50287-false34.202.104.213ec2-34-202-104-213.compute-1.amazonaws.com443https 354300x8000000000000000344983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.483{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50285-false3.74.206.104ec2-3-74-206-104.eu-central-1.compute.amazonaws.com443https 354300x8000000000000000344982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.472{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57938- 354300x8000000000000000344981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.466{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54430- 354300x8000000000000000344980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.464{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60802- 354300x8000000000000000344979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.464{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59826- 354300x8000000000000000344978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.463{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58673- 354300x8000000000000000344977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.459{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57144- 354300x8000000000000000344976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.456{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57901- 354300x8000000000000000344975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.453{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60531- 354300x8000000000000000344974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.452{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50286-false104.18.18.126-443https 354300x8000000000000000344973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.449{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63368- 354300x8000000000000000344972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.449{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56231- 354300x8000000000000000344971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.448{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63439- 354300x8000000000000000344970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.448{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60743- 354300x8000000000000000344969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.434{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58491- 354300x8000000000000000344968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.389{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50283-false69.175.41.15sovrn-193627-chi03-placeholder443https 354300x8000000000000000344967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.386{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50284-false69.166.1.12-443https 354300x8000000000000000344966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.382{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59685- 354300x8000000000000000344965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.370{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50282-false172.67.8.174-443https 354300x8000000000000000344964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.370{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50281-false159.89.246.130-443https 354300x8000000000000000344963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.364{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56998- 354300x8000000000000000344962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.349{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59488- 354300x8000000000000000344961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.348{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63927- 354300x8000000000000000344960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.346{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57573- 354300x8000000000000000344959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.329{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62300- 354300x8000000000000000344958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.311{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57836- 354300x8000000000000000344957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.284{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50280-false34.227.219.91ec2-34-227-219-91.compute-1.amazonaws.com443https 354300x8000000000000000344956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.284{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50279-false8.28.7.81-443https 10341000x8000000000000000344955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.325{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.325{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000344953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.325{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.325{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.325{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.323{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000344949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.323{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000344948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.322{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 17141700x8000000000000000344947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.321{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.47.45105032C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.321{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000344945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.319{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+e75602|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.318{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.313{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.312{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.312{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.312{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.311{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000344938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.310{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000344937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.310{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.46.553323635\196725913" -childID 43 -isForBrowser -prefsHandle 10448 -prefMapHandle 10760 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 10688 2612a905848 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000344936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.309{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.309{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.309{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.309{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.308{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.307{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.307{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.307{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.306{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.306{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.306{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.305{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.305{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.305{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.304{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.304{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.304{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.304{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.304{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.303{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.303{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.303{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.303{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.302{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.299{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.299{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000344910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.297{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.46.55332363C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000344909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.284{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.260{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.260{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.260{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.259{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.259{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.259{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000344902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.248{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000344901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.247{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000344900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.227{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000344899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.226{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000344898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.210{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.208{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.204{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000344895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.202{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000344894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.201{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000344893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.196{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000344892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.196{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.195{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.195{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.194{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 10341000x8000000000000000344888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.194{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.193{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000344886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.190{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000344885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.189{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000344884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.189{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000344883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.189{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000344882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.188{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000344881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.188{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000344880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.186{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000344879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.184{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 18141800x8000000000000000344878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.183{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-41C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000344877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.183{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-41C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.180{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000344875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.180{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000344874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.180{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 10341000x8000000000000000344873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.179{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.179{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.179{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000344870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.178{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000344869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.173{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000344868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.170{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000344867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.169{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000344866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.168{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000344865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.168{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000344864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.166{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000344863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.161{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000344862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.160{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-40C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000344861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.160{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-40C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.160{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000344859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.159{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x8000000000000000344858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.159{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.298272363606293653C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000344857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.158{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.298272363606293653C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.158{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000344855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.157{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000344854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.157{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 10341000x8000000000000000344853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.157{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000344852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.156{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.45.32768411C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.154{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000344850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.146{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.146{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.146{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.145{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.145{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.145{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.145{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 18141800x8000000000000000344843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.145{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.140{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000344841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.140{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000344840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.139{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000344839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.137{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000344838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.137{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000344837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.137{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000344836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.136{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000344835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.136{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000344834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.135{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000344833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.135{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000344832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.134{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000344831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.134{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000344830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.133{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000344829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.133{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000344828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.133{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000344827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.133{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000344826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.132{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 10341000x8000000000000000344825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.132{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.131{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000344823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.130{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 18141800x8000000000000000344822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.129{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.14271025091124134795C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000344821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.129{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.14271025091124134795C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.129{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000344819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.128{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000344818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.128{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000344817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.127{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000344816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.127{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000344815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.126{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000344814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.126{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000344813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.126{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000344812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.125{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.44.80253500C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.125{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000344810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.125{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000344809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.124{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000344808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.123{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.123{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.123{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 10341000x8000000000000000344805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.122{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.122{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.122{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000344802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.122{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000344801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.121{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.121{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000344799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.119{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000344798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.119{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000344797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.116{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000344796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.115{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000344795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.115{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000344794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.114{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000344793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.114{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000344792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.113{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000344791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.113{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000344790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.113{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000344789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.113{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000344788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.113{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000344787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.113{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000344786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.112{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000344785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.112{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 10341000x8000000000000000344784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.111{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000344783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:27.111{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.111{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000344781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.111{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000344780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.111{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000344779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.110{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000344778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.110{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000344777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.109{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000344776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.107{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000344775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.106{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000344774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.106{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000344773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.106{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000344772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.105{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000344771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.105{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000344770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.105{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000344769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.104{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000344768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.104{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.104{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.104{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000344765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.104{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000344764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.103{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000344763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.103{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 734700x8000000000000000344762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.103{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 10341000x8000000000000000344761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.103{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.103{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000344759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.102{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000344758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.102{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000344757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.102{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000344756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.101{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000344755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.101{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000344754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.101{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000344753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.101{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.45.327684115\1469256152" -childID 42 -isForBrowser -prefsHandle 10544 -prefMapHandle 10464 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 10448 2612a192b48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x8000000000000000344752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.101{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000344751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.101{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000344750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.100{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000344749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.100{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000344748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.100{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000344747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.100{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000344746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.100{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000344745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.099{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000344744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.099{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.099{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000344742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.099{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 10341000x8000000000000000344741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.098{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.098{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.098{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.098{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.098{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.098{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.098{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.097{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000344733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.097{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.097{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.097{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.097{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000344729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.097{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 10341000x8000000000000000344728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.097{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.096{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000344726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.096{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.096{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000344724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.096{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.096{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.096{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.095{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.095{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.095{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000344718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.095{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.095{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000344716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.095{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.094{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.094{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.093{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.094{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000344711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.094{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.094{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000344709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.093{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.093{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.093{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 10341000x8000000000000000344706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.093{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.093{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.093{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.092{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000344702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.092{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.092{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.092{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000344699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.092{6820D070-4DFB-6323-3001-000000007502}9112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000344698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.091{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000344697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.088{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.45.32768411C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000344696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.086{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000344695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.085{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000344694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.084{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000344693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.084{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.083{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000344691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.082{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000344690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.081{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000344689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.077{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000344688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.076{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000344687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.075{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000344686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.075{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 354300x8000000000000000344685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.262{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50270-false37.157.2.234-443https 354300x8000000000000000344684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.258{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50277-false54.159.152.149ec2-54-159-152-149.compute-1.amazonaws.com443https 354300x8000000000000000344683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.235{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61074- 354300x8000000000000000344682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.226{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54152- 354300x8000000000000000344681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.223{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59744- 354300x8000000000000000344680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.222{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56393- 354300x8000000000000000344679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.217{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57968- 354300x8000000000000000344678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.214{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55637- 354300x8000000000000000344677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.187{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50276-false54.204.204.21ec2-54-204-204-21.compute-1.amazonaws.com443https 354300x8000000000000000344676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.186{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60224- 354300x8000000000000000344675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.185{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56938- 354300x8000000000000000344674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.176{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50272-false199.38.167.129-443https 354300x8000000000000000344673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.175{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50275-false8.28.7.81-443https 354300x8000000000000000344672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.172{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50274-false69.166.1.12-443https 354300x8000000000000000344671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.172{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50271-false44.209.207.157ec2-44-209-207-157.compute-1.amazonaws.com443https 354300x8000000000000000344670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.169{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50269-false104.18.18.126-443https 354300x8000000000000000344669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.169{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50273-false104.18.18.126-443https 354300x8000000000000000344668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.167{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59534- 354300x8000000000000000344667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.166{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62450- 354300x8000000000000000344666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.159{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63360- 354300x8000000000000000344665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.158{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55640- 354300x8000000000000000344664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.155{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60174- 354300x8000000000000000344663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.152{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55903- 354300x8000000000000000344662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.145{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60258- 354300x8000000000000000344661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.139{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57671- 354300x8000000000000000344660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.139{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62647- 354300x8000000000000000344659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.113{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54621- 354300x8000000000000000344658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.112{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59479- 354300x8000000000000000344657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.108{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50263-false18.198.12.238ec2-18-198-12-238.eu-central-1.compute.amazonaws.com443https 354300x8000000000000000344656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.106{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58984- 354300x8000000000000000344655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.105{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54223- 354300x8000000000000000344654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.104{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54146- 354300x8000000000000000344653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.099{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50266-false185.184.8.90ip-185-184-8-90.rtbhouse.net443https 354300x8000000000000000344652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.097{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64330- 354300x8000000000000000344651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.094{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56214- 354300x8000000000000000344650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.092{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54215- 354300x8000000000000000344649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.086{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60237- 354300x8000000000000000344648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.085{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59424- 354300x8000000000000000344647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.079{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54525- 354300x8000000000000000344646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.071{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54001- 734700x8000000000000000344645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.074{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 354300x8000000000000000344644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.071{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54078- 354300x8000000000000000344643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.068{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63733- 354300x8000000000000000344642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.066{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63006- 354300x8000000000000000344641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.063{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53723- 354300x8000000000000000344640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.062{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53910- 354300x8000000000000000344639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.062{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54121- 354300x8000000000000000344638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.060{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60512- 354300x8000000000000000344637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.059{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62448- 354300x8000000000000000344636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.059{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58249- 354300x8000000000000000344635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.058{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53831- 354300x8000000000000000344634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.057{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54565- 354300x8000000000000000344633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.057{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58894- 354300x8000000000000000344632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.041{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64008- 354300x8000000000000000344631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.040{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50268-false52.87.80.8ec2-52-87-80-8.compute-1.amazonaws.com443https 354300x8000000000000000344630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.039{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50267-false104.18.19.126-443https 354300x8000000000000000344629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.036{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53978- 354300x8000000000000000344628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.035{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59672- 354300x8000000000000000344627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.032{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratorudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53438-false35.227.252.103103.252.227.35.bc.googleusercontent.com443https 354300x8000000000000000344626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.031{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50264-false38.98.139.150-443https 354300x8000000000000000344625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.022{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50265-false52.87.80.8ec2-52-87-80-8.compute-1.amazonaws.com443https 734700x8000000000000000344624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.073{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000344623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.072{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000344622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.068{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000344621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.067{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000344620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.066{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+378cdc3|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000344619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.066{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000344618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.066{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000344617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.065{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.061{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.060{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.059{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.059{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.057{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000344611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.056{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000344610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.057{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.44.802535009\1065058641" -childID 41 -isForBrowser -prefsHandle 10284 -prefMapHandle 9968 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 10272 26129f39b48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000344609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.055{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.055{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.055{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.054{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.054{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.054{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.054{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.053{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.053{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.053{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.053{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.052{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.052{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.052{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.052{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.051{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.051{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.051{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.051{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.051{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.050{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.050{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.050{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.050{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.050{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000344584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.049{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000344583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:27.047{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.44.80253500C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.800{6820D070-4D64-6323-ED00-000000007502}6140lga-bh-bgp.contextweb.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.797{6820D070-4D64-6323-ED00-000000007502}6140tg.dr.socdm.com0202.241.208.52;124.146.215.45;202.241.208.57;124.146.215.46;202.241.208.54;124.146.215.49;124.146.215.44;202.241.208.100;124.146.215.43;202.241.208.55;124.146.215.52;202.241.208.53;202.241.208.56;124.146.215.47;124.146.215.51;124.146.215.42;124.146.215.48;124.146.215.50;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.795{6820D070-4D64-6323-ED00-000000007502}6140tg.socdm.com0type: 5 tg.dr.socdm.com;::ffff:124.146.215.50;::ffff:202.241.208.52;::ffff:124.146.215.45;::ffff:202.241.208.57;::ffff:124.146.215.46;::ffff:202.241.208.54;::ffff:124.146.215.49;::ffff:124.146.215.44;::ffff:202.241.208.100;::ffff:124.146.215.43;::ffff:202.241.208.55;::ffff:124.146.215.52;::ffff:202.241.208.53;::ffff:202.241.208.56;::ffff:124.146.215.47;::ffff:124.146.215.51;::ffff:124.146.215.42;::ffff:124.146.215.48;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.795{6820D070-4D64-6323-ED00-000000007502}6140usersync.gumgum.com0::ffff:54.87.127.173;::ffff:35.172.99.217;::ffff:3.213.224.199;::ffff:52.207.45.55;::ffff:3.214.33.241;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.794{6820D070-4D64-6323-ED00-000000007502}6140na-ice.360yield.com052.21.122.168;52.203.198.46;34.195.71.40;54.159.152.149;174.129.2.117;34.201.79.55;34.236.17.73;54.83.8.73;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.793{6820D070-4D64-6323-ED00-000000007502}6140sync.ipredictive.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.793{6820D070-4D64-6323-ED00-000000007502}6140lga-bh-bgp.contextweb.com0198.148.27.140;198.148.27.139;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.792{6820D070-4D64-6323-ED00-000000007502}6140bh.contextweb.com0type: 5 lga-bh.contextweb.com;type: 5 lga-bh-bgp.contextweb.com;::ffff:198.148.27.139;::ffff:198.148.27.140;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.790{6820D070-4D64-6323-ED00-000000007502}6140sync.ipredictive.com052.206.10.116;3.92.109.79;52.87.71.254;52.71.198.4;54.83.125.176;23.21.236.46;34.195.158.163;54.90.136.2;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.779{6820D070-4D64-6323-ED00-000000007502}6140zemanta-nychi.zemanta.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.779{6820D070-4D64-6323-ED00-000000007502}6140ad.360yield.com0type: 5 ice.360yield.com;type: 5 na-ice.360yield.com;::ffff:54.83.8.73;::ffff:52.21.122.168;::ffff:52.203.198.46;::ffff:34.195.71.40;::ffff:54.159.152.149;::ffff:174.129.2.117;::ffff:34.201.79.55;::ffff:34.236.17.73;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.738{6820D070-4D64-6323-ED00-000000007502}6140sync.ipredictive.com0::ffff:54.90.136.2;::ffff:52.206.10.116;::ffff:3.92.109.79;::ffff:52.87.71.254;::ffff:52.71.198.4;::ffff:54.83.125.176;::ffff:23.21.236.46;::ffff:34.195.158.163;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.735{6820D070-4D64-6323-ED00-000000007502}6140zemanta-nychi.zemanta.com070.42.32.159;64.202.112.31;64.74.236.127;50.31.142.159;64.74.236.63;64.202.112.191;70.42.32.95;70.42.32.127;70.42.32.63;50.31.142.95;64.74.236.95;64.202.112.63;50.31.142.191;64.74.236.223;64.202.112.95;50.31.142.63;64.74.236.31;50.31.142.255;50.31.142.223;64.74.236.255;50.31.142.31;64.202.112.255;64.202.112.223;70.42.32.31;70.42.32.255;64.202.112.127;70.42.32.191;70.42.32.223;64.202.112.159;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.705{6820D070-4D64-6323-ED00-000000007502}6140v04.cap-ash1.technoratimedia.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.697{6820D070-4D64-6323-ED00-000000007502}6140b1sync.zemanta.com0type: 5 zemanta-nychi.zemanta.com;::ffff:64.74.236.191;::ffff:70.42.32.159;::ffff:64.202.112.31;::ffff:64.74.236.127;::ffff:50.31.142.159;::ffff:64.74.236.63;::ffff:64.202.112.191;::ffff:70.42.32.95;::ffff:70.42.32.127;::ffff:70.42.32.63;::ffff:50.31.142.95;::ffff:64.74.236.95;::ffff:64.202.112.63;::ffff:50.31.142.191;::ffff:64.74.236.223;::ffff:64.202.112.95;::ffff:50.31.142.63;::ffff:64.74.236.31;::ffff:50.31.142.255;::ffff:50.31.142.223;::ffff:64.74.236.255;::ffff:50.31.142.31;::ffff:64.202.112.255;::ffff:64.202.112.223;::ffff:70.42.32.31;::ffff:70.42.32.255;::ffff:64.202.112.127;::ffff:70.42.32.191;::ffff:70.42.32.223;::ffff:64.202.112.159;::ffff:50.31.142.127;::ffff:64.74.236.159;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.695{6820D070-4D64-6323-ED00-000000007502}6140v04.cap-ash1.technoratimedia.com0150.136.156.92;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.677{6820D070-4D64-6323-ED00-000000007502}6140tg.socdm.com0type: 5 tg.dr.socdm.com;::ffff:124.146.215.48;::ffff:124.146.215.50;::ffff:202.241.208.52;::ffff:124.146.215.45;::ffff:202.241.208.57;::ffff:124.146.215.46;::ffff:202.241.208.54;::ffff:124.146.215.49;::ffff:124.146.215.44;::ffff:202.241.208.100;::ffff:124.146.215.43;::ffff:202.241.208.55;::ffff:124.146.215.52;::ffff:202.241.208.53;::ffff:202.241.208.56;::ffff:124.146.215.47;::ffff:124.146.215.51;::ffff:124.146.215.42;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.677{6820D070-4D64-6323-ED00-000000007502}6140match.deepintent.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.676{6820D070-4D64-6323-ED00-000000007502}6140ads.servenobid.com034.192.48.51;52.71.89.95;34.194.186.136;54.167.225.22;52.203.182.8;52.207.67.12;54.147.116.125;3.91.129.94;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.675{6820D070-4D64-6323-ED00-000000007502}6140bh.contextweb.com0type: 5 lga-bh.contextweb.com;type: 5 lga-bh-bgp.contextweb.com;::ffff:198.148.27.140;::ffff:198.148.27.139;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.675{6820D070-4D64-6323-ED00-000000007502}6140ad.360yield.com0type: 5 ice.360yield.com;type: 5 na-ice.360yield.com;::ffff:34.236.17.73;::ffff:54.83.8.73;::ffff:52.21.122.168;::ffff:52.203.198.46;::ffff:34.195.71.40;::ffff:54.159.152.149;::ffff:174.129.2.117;::ffff:34.201.79.55;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.675{6820D070-4D64-6323-ED00-000000007502}6140sync.ipredictive.com0::ffff:34.195.158.163;::ffff:54.90.136.2;::ffff:52.206.10.116;::ffff:3.92.109.79;::ffff:52.87.71.254;::ffff:52.71.198.4;::ffff:54.83.125.176;::ffff:23.21.236.46;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.674{6820D070-4D64-6323-ED00-000000007502}6140ads.servenobid.com0::ffff:3.91.129.94;::ffff:34.192.48.51;::ffff:52.71.89.95;::ffff:34.194.186.136;::ffff:54.167.225.22;::ffff:52.203.182.8;::ffff:52.207.67.12;::ffff:54.147.116.125;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.674{6820D070-4D64-6323-ED00-000000007502}6140match.deepintent.com0169.197.150.8;38.91.45.7;169.197.150.7;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.674{6820D070-4D64-6323-ED00-000000007502}6140b1sync.zemanta.com0type: 5 zemanta-nychi.zemanta.com;::ffff:50.31.142.127;::ffff:64.74.236.159;::ffff:64.74.236.191;::ffff:70.42.32.159;::ffff:64.202.112.31;::ffff:64.74.236.127;::ffff:50.31.142.159;::ffff:64.74.236.63;::ffff:64.202.112.191;::ffff:70.42.32.95;::ffff:70.42.32.127;::ffff:70.42.32.63;::ffff:50.31.142.95;::ffff:64.74.236.95;::ffff:64.202.112.63;::ffff:50.31.142.191;::ffff:64.74.236.223;::ffff:64.202.112.95;::ffff:50.31.142.63;::ffff:64.74.236.31;::ffff:50.31.142.255;::ffff:50.31.142.223;::ffff:64.74.236.255;::ffff:50.31.142.31;::ffff:64.202.112.255;::ffff:64.202.112.223;::ffff:70.42.32.31;::ffff:70.42.32.255;::ffff:64.202.112.127;::ffff:70.42.32.191;::ffff:70.42.32.223;::ffff:64.202.112.159;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.673{6820D070-4D64-6323-ED00-000000007502}6140match.deepintent.com0::ffff:169.197.150.7;::ffff:169.197.150.8;::ffff:38.91.45.7;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.671{6820D070-4D64-6323-ED00-000000007502}6140sync.technoratimedia.com0type: 5 adserver.technoratimedia.com;type: 5 v04.cap-ash1.technoratimedia.com;::ffff:150.136.156.92;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.671{6820D070-4D64-6323-ED00-000000007502}6140match.deepintent.com0::ffff:38.91.45.7;::ffff:169.197.150.7;::ffff:169.197.150.8;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.636{6820D070-4D64-6323-ED00-000000007502}6140sync.srv.stackadapt.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.598{6820D070-4D64-6323-ED00-000000007502}6140chidc2.outbrain.org9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.594{6820D070-4D64-6323-ED00-000000007502}6140cs9.wac.phicdn.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.592{6820D070-4D64-6323-ED00-000000007502}6140cs9.wac.phicdn.net072.21.91.29;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.588{6820D070-4D64-6323-ED00-000000007502}6140chidc2.outbrain.org064.74.236.127;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.580{6820D070-4D64-6323-ED00-000000007502}6140sync.srv.stackadapt.com054.146.105.203;34.228.89.248;54.174.178.125;54.243.184.83;52.54.46.88;52.205.223.187;3.228.99.19;3.231.251.159;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.576{6820D070-4D64-6323-ED00-000000007502}6140sync.srv.stackadapt.com0::ffff:3.231.251.159;::ffff:54.146.105.203;::ffff:34.228.89.248;::ffff:54.174.178.125;::ffff:54.243.184.83;::ffff:52.54.46.88;::ffff:52.205.223.187;::ffff:3.228.99.19;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.569{6820D070-4D64-6323-ED00-000000007502}6140h2.shared.global.fastly.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.557{6820D070-4D64-6323-ED00-000000007502}6140sync.srv.stackadapt.com0::ffff:3.228.99.19;::ffff:3.231.251.159;::ffff:54.146.105.203;::ffff:34.228.89.248;::ffff:54.174.178.125;::ffff:54.243.184.83;::ffff:52.54.46.88;::ffff:52.205.223.187;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.548{6820D070-4D64-6323-ED00-000000007502}6140h2.shared.global.fastly.net0146.75.34.49;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.533{6820D070-4D64-6323-ED00-000000007502}6140sync-tm.everesttech.net0type: 5 sync.tubemogul.com;type: 5 syncf.tubemogul.com;type: 5 h2.shared.global.fastly.net;::ffff:146.75.34.49;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.486{6820D070-4D64-6323-ED00-000000007502}6140zeta-ssp-385516103.us-east-1.elb.amazonaws.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.481{6820D070-4D64-6323-ED00-000000007502}6140zeta-ssp-385516103.us-east-1.elb.amazonaws.com052.206.33.177;54.147.206.141;44.198.244.56;44.199.43.130;54.87.85.237;52.20.203.237;35.168.53.23;50.16.244.213;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.477{6820D070-4D64-6323-ED00-000000007502}6140a0c5f01281df4496c8c90970c4af6afb-1698139360.us-east-1.elb.amazonaws.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.474{6820D070-4D64-6323-ED00-000000007502}6140a0c5f01281df4496c8c90970c4af6afb-1698139360.us-east-1.elb.amazonaws.com03.230.47.190;44.194.177.91;3.229.251.39;52.71.232.26;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.472{6820D070-4D64-6323-ED00-000000007502}6140x.yieldlift.com0type: 5 a0c5f01281df4496c8c90970c4af6afb-1698139360.us-east-1.elb.amazonaws.com;::ffff:52.71.232.26;::ffff:3.230.47.190;::ffff:44.194.177.91;::ffff:3.229.251.39;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.470{6820D070-4D64-6323-ED00-000000007502}6140x.yieldlift.com0type: 5 a0c5f01281df4496c8c90970c4af6afb-1698139360.us-east-1.elb.amazonaws.com;::ffff:3.229.251.39;::ffff:52.71.232.26;::ffff:3.230.47.190;::ffff:44.194.177.91;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.470{6820D070-4D64-6323-ED00-000000007502}6140nace.vap.lijit.com069.175.41.2;69.175.41.32;69.175.41.79;69.175.41.15;69.175.41.44;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.469{6820D070-4D64-6323-ED00-000000007502}6140ce.lijit.com0type: 5 vap.lijit.com;type: 5 nace.vap.lijit.com;::ffff:69.175.41.44;::ffff:69.175.41.2;::ffff:69.175.41.32;::ffff:69.175.41.79;::ffff:69.175.41.15;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.465{6820D070-4D64-6323-ED00-000000007502}6140ce.lijit.com0type: 5 vap.lijit.com;type: 5 nace.vap.lijit.com;::ffff:69.175.41.15;::ffff:69.175.41.44;::ffff:69.175.41.2;::ffff:69.175.41.32;::ffff:69.175.41.79;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.465{6820D070-4D64-6323-ED00-000000007502}6140g2.gumgum.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.464{6820D070-4D64-6323-ED00-000000007502}6140e8960.e2.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.460{6820D070-4D64-6323-ED00-000000007502}6140e8960.e2.akamaiedge.net023.202.201.246;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.456{6820D070-4D64-6323-ED00-000000007502}6140g2.gumgum.com054.237.153.63;52.2.25.159;54.144.187.195;52.2.117.35;3.221.175.138;3.91.115.203;34.202.104.213;52.207.167.189;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.452{6820D070-4D64-6323-ED00-000000007502}6140g2.gumgum.com0::ffff:52.207.167.189;::ffff:54.237.153.63;::ffff:52.2.25.159;::ffff:54.144.187.195;::ffff:52.2.117.35;::ffff:3.221.175.138;::ffff:3.91.115.203;::ffff:34.202.104.213;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.444{6820D070-4D64-6323-ED00-000000007502}6140g2.gumgum.com0::ffff:34.202.104.213;::ffff:52.207.167.189;::ffff:54.237.153.63;::ffff:52.2.25.159;::ffff:54.144.187.195;::ffff:52.2.117.35;::ffff:3.221.175.138;::ffff:3.91.115.203;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.370{6820D070-4D64-6323-ED00-000000007502}6140a.vidoomy.com0type: 5 production-loadbalancer-1975618156.eu-central-1.elb.amazonaws.com;::ffff:18.197.160.71;::ffff:18.194.202.243;::ffff:18.198.12.238;::ffff:52.28.123.190;::ffff:3.127.18.59;::ffff:3.74.206.104;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.368{6820D070-4D64-6323-ED00-000000007502}6140a.vidoomy.com0type: 5 production-loadbalancer-1975618156.eu-central-1.elb.amazonaws.com;::ffff:3.74.206.104;::ffff:18.197.160.71;::ffff:18.194.202.243;::ffff:18.198.12.238;::ffff:52.28.123.190;::ffff:3.127.18.59;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.341{6820D070-4D64-6323-ED00-000000007502}6140sync-eu.connectad.io02606:4700:10::ac43:8ae;2606:4700:10::6816:37ce;2606:4700:10::6816:36ce;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.335{6820D070-4D64-6323-ED00-000000007502}6140sync-eu.connectad.io0104.22.55.206;172.67.8.174;104.22.54.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.334{6820D070-4D64-6323-ED00-000000007502}6140sync-eu.connectad.io0::ffff:104.22.54.206;::ffff:104.22.55.206;::ffff:172.67.8.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.320{6820D070-4D64-6323-ED00-000000007502}6140sync-eu.connectad.io0::ffff:172.67.8.174;::ffff:104.22.54.206;::ffff:104.22.55.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.238{6820D070-4D64-6323-ED00-000000007502}6140na-ice.360yield.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.235{6820D070-4D64-6323-ED00-000000007502}6140cookiematch-us-east-1.prod.justpremium.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.233{6820D070-4D64-6323-ED00-000000007502}6140cookiematch-us-east-1.prod.justpremium.com054.208.24.13;34.227.219.91;54.86.194.8;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.232{6820D070-4D64-6323-ED00-000000007502}6140match.justpremium.com0type: 5 cookiematch-us-east-1.prod.justpremium.com;::ffff:54.86.194.8;::ffff:54.208.24.13;::ffff:34.227.219.91;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.231{6820D070-4D64-6323-ED00-000000007502}6140match.justpremium.com0type: 5 cookiematch-us-east-1.prod.justpremium.com;::ffff:34.227.219.91;::ffff:54.86.194.8;::ffff:54.208.24.13;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.224{6820D070-4D64-6323-ED00-000000007502}6140x.serverbid.com0type: 5 exchange.consumabletv.com;type: 5 cx.serverbid.com;::ffff:159.89.246.130;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.199{6820D070-4D64-6323-ED00-000000007502}6140na-ice.360yield.com034.201.79.55;34.236.17.73;54.83.8.73;52.21.122.168;52.203.198.46;34.195.71.40;54.159.152.149;174.129.2.117;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.195{6820D070-4D64-6323-ED00-000000007502}6140ice.360yield.com0type: 5 na-ice.360yield.com;::ffff:174.129.2.117;::ffff:34.201.79.55;::ffff:34.236.17.73;::ffff:54.83.8.73;::ffff:52.21.122.168;::ffff:52.203.198.46;::ffff:34.195.71.40;::ffff:54.159.152.149;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.192{6820D070-4D64-6323-ED00-000000007502}6140ice.360yield.com0type: 5 na-ice.360yield.com;::ffff:54.159.152.149;::ffff:174.129.2.117;::ffff:34.201.79.55;::ffff:34.236.17.73;::ffff:54.83.8.73;::ffff:52.21.122.168;::ffff:52.203.198.46;::ffff:34.195.71.40;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.105{6820D070-4D64-6323-ED00-000000007502}6140pugm-vac.pubmnet.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.103{6820D070-4D64-6323-ED00-000000007502}6140pugm-vac.pubmnet.com08.28.7.81;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.098{6820D070-4D64-6323-ED00-000000007502}6140ssum-sec.casalemedia.com.cdn.cloudflare.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.093{6820D070-4D64-6323-ED00-000000007502}6140ssum-sec.casalemedia.com.cdn.cloudflare.net0104.18.18.126;104.18.19.126;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.088{6820D070-4D64-6323-ED00-000000007502}6140prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.078{6820D070-4D64-6323-ED00-000000007502}6140prod.ups-us-east-1.aolp-ds-prd.aws.oath.cloud034.197.236.209;34.193.80.51;107.20.229.204;23.22.46.108;44.195.153.167;52.203.62.63;54.204.204.21;34.199.32.205;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.074{6820D070-4D64-6323-ED00-000000007502}6140iad-2-sync.go.sonobi.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.074{6820D070-4D64-6323-ED00-000000007502}6140nace.vap.lijit.com069.175.41.79;69.175.41.15;69.175.41.44;69.175.41.2;69.175.41.32;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000344505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.073{6820D070-4D64-6323-ED00-000000007502}6140ap.lijit.com0type: 5 vap.lijit.com;type: 5 nace.vap.lijit.com;::ffff:69.175.41.32;::ffff:69.175.41.79;::ffff:69.175.41.15;::ffff:69.175.41.44;::ffff:69.175.41.2;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000344504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.027{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.027{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.026{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.025{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.025{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000344499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.025{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000189939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:27.505{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A603155D31A03F0AEC876EF9044C714,SHA256=185AE8D37608D9101988FD7D3342A270D4897866EDCF5C130DDBBDAB7A79373A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000345979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.001{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63646- 354300x8000000000000000345978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.978{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60588- 354300x8000000000000000345977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.969{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54642- 354300x8000000000000000345976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.960{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60499- 354300x8000000000000000345975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.955{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63502-false104.18.13.76-443https 354300x8000000000000000345974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.921{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58729- 354300x8000000000000000345973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.908{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60959- 354300x8000000000000000345972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.903{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57512- 354300x8000000000000000345971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.886{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61614- 354300x8000000000000000345970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.880{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63501-false104.122.45.12a104-122-45-12.deploy.static.akamaitechnologies.com443https 354300x8000000000000000345969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.866{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57359- 354300x8000000000000000345968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.858{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58859- 354300x8000000000000000345967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.825{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55187- 354300x8000000000000000345966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.823{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56723- 354300x8000000000000000345965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.804{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64478- 10341000x8000000000000000345964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.691{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.691{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.691{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.690{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.690{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.690{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 354300x8000000000000000345958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.798{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62960- 354300x8000000000000000345957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.796{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64365- 354300x8000000000000000345956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.758{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63499-false141.95.33.111ns3203177.ip-141-95-33.eu443https 354300x8000000000000000345955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.737{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60331- 354300x8000000000000000345954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.735{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local62927- 354300x8000000000000000345953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.715{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56394- 354300x8000000000000000345952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.713{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59078- 354300x8000000000000000345951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.709{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60764- 354300x8000000000000000345950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.706{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58023- 354300x8000000000000000345949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.701{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56929- 354300x8000000000000000345948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.695{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63446- 354300x8000000000000000345947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.694{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63543- 354300x8000000000000000345946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.693{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56858- 354300x8000000000000000345945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.676{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63500-false8.43.72.97-443https 354300x8000000000000000345944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.665{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64943- 354300x8000000000000000345943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.663{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56594- 354300x8000000000000000345942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.656{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56974- 354300x8000000000000000345941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.654{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60077- 354300x8000000000000000345940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.642{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58755- 354300x8000000000000000345939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.579{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58664- 354300x8000000000000000345938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.578{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54852- 354300x8000000000000000345937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.577{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55494- 354300x8000000000000000345936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.559{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54725- 354300x8000000000000000345935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.558{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55843- 354300x8000000000000000345934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.557{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62505- 354300x8000000000000000345933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.528{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63498-false18.214.113.242ec2-18-214-113-242.compute-1.amazonaws.com443https 354300x8000000000000000345932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.521{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63494- 354300x8000000000000000345931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.520{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62839- 354300x8000000000000000345930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.518{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57206- 354300x8000000000000000345929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.493{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53682- 354300x8000000000000000345928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.489{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63497-false68.67.160.186675.bm-nginx-loadbalancer.mgmt.nym2.adnexus.net443https 354300x8000000000000000345927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.486{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60142- 354300x8000000000000000345926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.484{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59835- 354300x8000000000000000345925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.482{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53654- 354300x8000000000000000345924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.481{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55089- 354300x8000000000000000345923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.478{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62668- 354300x8000000000000000345922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.437{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63496-false69.175.41.15sovrn-193627-chi03-placeholder443https 354300x8000000000000000345921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.424{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63494-false3.229.251.39ec2-3-229-251-39.compute-1.amazonaws.com443https 354300x8000000000000000345920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.423{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63495-false172.67.8.174-443https 354300x8000000000000000345919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.421{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63493-false104.18.19.126-443https 354300x8000000000000000345918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.308{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63492-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000345917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.293{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.293{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.292{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.292{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.292{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.291{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000345911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.164{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000345910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.164{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000345909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.163{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 734700x8000000000000000345908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.163{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 10341000x8000000000000000345907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.160{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.160{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.159{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.159{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.155{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000345902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.154{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000345901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.153{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000345900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.151{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000345899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.149{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000345898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.148{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 10341000x8000000000000000345897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.147{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.147{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.146{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000345894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.146{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 734700x8000000000000000345893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.144{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000345892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.142{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000345891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.142{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000345890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.141{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000345889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.141{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 10341000x8000000000000000345888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.140{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.140{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 10341000x8000000000000000345886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.140{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.140{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000345884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.137{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\freebl3.dll104.0.2-FirefoxMozilla Foundationfreebl3.dllMD5=E955B74FC4EC39B2FBA71B95F5785511,SHA256=AF895F69461521DC6DE09FA62D81F833D63D8559CA58FDBDACDDEBAF756FE717,IMPHASH=603677F758E7CEE100C502B5C0E50293trueMozilla CorporationValid 734700x8000000000000000345883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.137{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000345882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.136{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\softokn3.dll104.0.2-FirefoxMozilla Foundationsoftokn3.dllMD5=4E78CA1C6C19DE0E2F37505183B005A8,SHA256=ADFA856F86B98E90DA37A1BDA1ABC261A6A871042FB342F93F43C6777E9E3CE2,IMPHASH=8217C8B17239D6236F43DE3AC007B8A6trueMozilla CorporationValid 18141800x8000000000000000345881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:28.134{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-48C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:28.134{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-48C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.134{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000345878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.132{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000345877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.132{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 10341000x8000000000000000345876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.132{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.131{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000345874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.131{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000345873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.130{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 10341000x8000000000000000345872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.130{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.130{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000345870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.129{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000345869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.128{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000345868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.125{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=E6024B83C3D336E71E636E2816A0F6C6,SHA256=6BCFB676656A149E0307D6BA0AEE58FA6057BB8A920B57505CD2B90C8968DF94,IMPHASH=4DF173E853B52F621D05CC337B9F72CEtrueMicrosoft WindowsValid 734700x8000000000000000345867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.123{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\devobj.dll10.0.14393.0 (rs1_release.160715-1616)Device Information Set DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdevinfoset.DLLMD5=72AD993A6E896EB50058A73D045F3284,SHA256=CFF524F52D5F91788F34A47076E0CA36132890981079B27F559279B3F6FC3B11,IMPHASH=DFDCA72C641F8587ADF49CA0ED1D5817trueMicrosoft WindowsValid 734700x8000000000000000345866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.122{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\setupapi.dll10.0.14393.2608 (rs1_release.181024-1742)Windows Setup APIMicrosoft® Windows® Operating SystemMicrosoft CorporationSETUPAPI.DLLMD5=8EEA3E9E124AC395915517588723F12E,SHA256=ED63B8F0079069271F46EECCB4B0CF384D02BD1E18FE3BA635A0C0B1284B2CBE,IMPHASH=5910ADAAC44A92AFA6ED871531949CEEtrueMicrosoft WindowsValid 18141800x8000000000000000345865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:28.120{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-47C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:28.120{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-47C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.118{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000345862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.117{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000345861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.117{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000345860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.116{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 10341000x8000000000000000345859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.116{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.116{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.113{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.112{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000345855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.112{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000345854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.111{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x8000000000000000345853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:28.111{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.18131302077287197456C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:28.110{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.18131302077287197456C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.110{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000345850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.110{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 10341000x8000000000000000345849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.109{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:28.108{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.52.177393618C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.107{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000345846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.107{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000345845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.106{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000345844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.106{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000345843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.105{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 354300x8000000000000000345842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.300{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63490-false69.175.41.15sovrn-193627-chi03-placeholder443https 354300x8000000000000000345841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.291{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63491-false54.87.127.173ec2-54-87-127-173.compute-1.amazonaws.com443https 354300x8000000000000000345840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.277{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59895- 354300x8000000000000000345839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.276{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54371- 354300x8000000000000000345838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.275{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63487-false69.175.41.15sovrn-193627-chi03-placeholder443https 354300x8000000000000000345837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.274{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63488-false69.175.41.15sovrn-193627-chi03-placeholder443https 354300x8000000000000000345836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.274{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55358- 354300x8000000000000000345835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.255{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53829- 354300x8000000000000000345834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.254{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57307- 354300x8000000000000000345833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.252{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56837- 354300x8000000000000000345832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.246{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63480-false124.146.215.48-443https 354300x8000000000000000345831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.199{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63485-false162.248.18.11-443https 354300x8000000000000000345830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.197{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63486-false54.87.127.173ec2-54-87-127-173.compute-1.amazonaws.com443https 354300x8000000000000000345829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.190{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63484-false104.18.19.126-443https 354300x8000000000000000345828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.172{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63483-false104.36.115.114-443https 354300x8000000000000000345827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.121{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64801- 354300x8000000000000000345826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.118{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62635- 354300x8000000000000000345825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.089{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63481-false104.36.115.114-443https 354300x8000000000000000345824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.086{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63482-false54.87.127.173ec2-54-87-127-173.compute-1.amazonaws.com443https 354300x8000000000000000345823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.078{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63479-false54.87.127.173ec2-54-87-127-173.compute-1.amazonaws.com443https 354300x8000000000000000345822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.055{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63478-false54.87.127.173ec2-54-87-127-173.compute-1.amazonaws.com443https 354300x8000000000000000345821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.054{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55648- 354300x8000000000000000345820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.053{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53590- 10341000x8000000000000000345819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.101{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:28.101{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 18141800x8000000000000000345817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:28.100{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-46C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:28.100{6820D070-4D64-6323-ED00-000000007502}6140\LOCAL\cubeb-pipe-6140-46C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000345815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.099{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.098{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000345813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.098{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=24C1E8F8C10471C5A6F0E8AF141211EB,SHA256=75ECAE23C920D81614BA5C0648377C2FC04C7379FD6A388C244A81F50AAB7B1C,IMPHASH=0B9A3C99AAFA99247F9E2BD866186AEAtrueMicrosoft WindowsValid 734700x8000000000000000345812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.098{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=F16410F5D557337B05CF4F93691EC106,SHA256=2B5BC3C0A6514356C6719298FC25D8D192A2C973EE3283EF48379D2745C9BD87,IMPHASH=9F0D37252D56D3F9E44E69CCC59B57AEtrueMicrosoft WindowsValid 734700x8000000000000000345811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.097{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000345810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.096{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 18141800x8000000000000000345809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:28.095{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.12011638539852195071C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:28.095{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.12011638539852195071C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.095{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000345806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.094{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 10341000x8000000000000000345805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.094{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.094{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 18141800x8000000000000000345803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:28.094{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.51.98946024C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.093{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000345801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.093{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000345800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.093{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000345799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.092{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000345798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.092{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000345797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.091{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000345796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.091{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000345795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.091{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000345794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.089{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000345793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.088{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000345792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.088{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000345791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.088{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000345790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.088{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000345789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.087{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000345788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.087{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 10341000x8000000000000000345787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.087{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:28.087{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.085{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000345784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.084{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000345783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.084{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000345782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.084{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000345781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.081{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000345780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.081{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.081{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000345778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.080{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000345777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.080{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000345776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.079{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000345775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.079{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000345774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.079{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000345773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.079{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000345772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.078{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000345771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.078{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000345770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.078{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 18141800x8000000000000000345769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:28.077{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.616503435139837146C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:28.077{6820D070-4D64-6323-ED00-000000007502}6140\gecko.6140.5612.616503435139837146C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.077{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000345766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.077{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 734700x8000000000000000345765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.077{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000345764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.076{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+1a81b5a|C:\Program Files\Mozilla Firefox\xul.dll+1a7fb67|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:28.076{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.50.5357399C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.075{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000345761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.075{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 734700x8000000000000000345760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.075{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 734700x8000000000000000345759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.074{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 734700x8000000000000000345758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.074{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000345757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.074{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 734700x8000000000000000345756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.073{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000345755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.072{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 734700x8000000000000000345754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.072{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000345753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.071{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000345752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.071{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 734700x8000000000000000345751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.071{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000345750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.071{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000345749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.070{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000345748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.070{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000345747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.070{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000345746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.069{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000345745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.069{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000345744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.068{6820D070-4D64-6323-ED00-000000007502}61404084C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+114dfb|C:\Program Files\Mozilla Firefox\xul.dll+12ee2b1|C:\Windows\SYSTEM32\ntdll.dll+7f61d|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 18141800x8000000000000000345743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-ConnectPipe2022-09-15 16:08:28.068{6820D070-4D64-6323-ED00-000000007502}6140\gecko-crash-server-pipe.6140C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.067{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000345741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.067{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 10341000x8000000000000000345740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.067{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+e75602|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.067{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 10341000x8000000000000000345738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.066{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.066{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000345736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.065{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000345735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.065{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000345734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.065{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000345733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.063{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 10341000x8000000000000000345732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.063{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.063{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.062{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 10341000x8000000000000000345729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.062{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.062{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.061{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000345726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.060{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 10341000x8000000000000000345725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.060{6820D070-4B7C-6323-8800-000000007502}628648C:\Windows\system32\csrss.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000345724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.060{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x8000000000000000345723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.060{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.060{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 154100x8000000000000000345721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.059{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.52.1773936187\619957021" -childID 49 -isForBrowser -prefsHandle 11792 -prefMapHandle 11796 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 11648 2612f276548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x8000000000000000345720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.059{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000345719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.059{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000345718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.059{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 10341000x8000000000000000345717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.058{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.058{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x8000000000000000345715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.058{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.058{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x8000000000000000345713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.058{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.058{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.058{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 10341000x8000000000000000345710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.058{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.057{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.057{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.057{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wintrust.dll10.0.14393.5125 (rs1_release.220429-1732)Microsoft Trust Verification APIsMicrosoft® Windows® Operating SystemMicrosoft CorporationWINTRUST.DLLMD5=55FCE44E89BDA2444619661FE50F43EE,SHA256=420CACA0D821E7E9F1D1E683E9899BC2F6D5A4AA06C8D4BB23335DD9490CC0F8,IMPHASH=8B8383FC3FA03C92F859A2AF899A52ADtrueMicrosoft WindowsValid 734700x8000000000000000345706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.057{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x8000000000000000345705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.057{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.057{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.056{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.056{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\xul.dll104.0.2-FirefoxMozilla Foundationxul.dllMD5=0A51F22D078855CE4E32F0987E9B06C6,SHA256=CD073C7F42A13D192E8E96AC16B0C2BE56D40424768DC65733380AB4AFBD4716,IMPHASH=9A9A84C657A1B1C5F1F6F1989D349543trueMozilla CorporationValid 10341000x8000000000000000345701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.056{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.056{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000345699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.056{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\lgpllibs.dll104.0.2-FirefoxMozilla Foundationlgpllibs.dllMD5=8A81C934123E7CA79B7A1741570D3336,SHA256=0A0F351BBB315E6364398A55F77607E57C29CB83BEE9FC6D7EA6DC3D761964DA,IMPHASH=451AECEA9F58042E76D96A82BE2804FAtrueMozilla CorporationValid 10341000x8000000000000000345698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.056{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.055{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.055{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.055{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.055{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.055{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 10341000x8000000000000000345692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.054{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.055{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\wsock32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Socket 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationwsock32.dllMD5=9471D5E2FEDF5552440BF935143DFAB0,SHA256=B489197F05EFFFB17F10FA9942DB88100C86BEB8291F9ACC8EB38BEF751BF90D,IMPHASH=6D33A1BDF842DEBFB889C44A830190E7trueMicrosoft WindowsValid 10341000x8000000000000000345690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.054{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.054{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000345688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.054{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.054{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.053{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.053{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000345684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.053{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.053{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 10341000x8000000000000000345682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.053{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.053{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.052{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.052{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000345678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.052{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.052{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000345676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.052{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000345675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.051{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\nss3.dll104.0.2-FirefoxMozilla Foundationnss3.dllMD5=53509A4511300964ADB047AD5F1F1170,SHA256=2241536476C6C2CCE371DCFB08432C351198809A577FFC2E79D27FCEAAB6FEE5,IMPHASH=C637BF48786E5FC945D5268F49B50500trueMozilla CorporationValid 734700x8000000000000000345674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.051{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000345673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.050{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 17141700x8000000000000000345672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:28.050{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.52.177393618C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.049{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000345670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.048{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000345669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.048{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+e75602|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+1a61c23|C:\Program Files\Mozilla Firefox\xul.dll+17b1bad|C:\Program Files\Mozilla Firefox\xul.dll+1a890bb|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.048{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000345667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.048{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 734700x8000000000000000345666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.048{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 10341000x8000000000000000345665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.047{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.047{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000345663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.047{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000345662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.046{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000345661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.045{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000345660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.043{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140_1.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140_1.dllMD5=135359D350F72AD4BF716B764D39E749,SHA256=34048ABAA070ECC13B318CEA31425F4CA3EDD133D350318AC65259E6058C8B32,IMPHASH=AE0BDE6314FA2027B54CE04898F6AB69trueMicrosoft CorporationValid 10341000x8000000000000000345659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.043{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.043{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.042{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.042{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.042{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000345654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.042{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\vcruntime140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F34EB034AA4A9735218686590CBA2E8B,SHA256=9D2B40F0395CC5D1B4D5EA17B84970C29971D448C37104676DB577586D4AD1B1,IMPHASH=44C3854843F7A3FCCDF8DDBBEA66F302trueMicrosoft CorporationValid 10341000x8000000000000000345653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.042{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000345652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.041{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.51.989460245\806734232" -childID 48 -isForBrowser -prefsHandle 11676 -prefMapHandle 11680 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 10056 26129396548 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 734700x8000000000000000345651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.041{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msvcp140.dll14.29.30139.0 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationmsvcp140.dllMD5=6DA7F4530EDB350CF9D967D969CCECF8,SHA256=9FEE6F36547D6F6EA7CA0338655555DBA6BB0F798BC60334D29B94D1547DA4DA,IMPHASH=2BA11FD5A511C8A409E705E9AB6B5DC1trueMicrosoft CorporationValid 10341000x8000000000000000345650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.040{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.040{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.040{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.040{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 10341000x8000000000000000345646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.039{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.039{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.039{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.039{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.039{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.038{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.039{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 10341000x8000000000000000345639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.038{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.038{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.038{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.038{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\mozglue.dll104.0.2-FirefoxMozilla Foundationmozglue.dllMD5=D81C40EAA529D675598BD3D88F4D273B,SHA256=F89754F1E16A89AF01B5A3B2F4FDE652AA14DBA3131FB9A831D1E51E2E4D9359,IMPHASH=59035CC8561E9C04E566E656F35B9519trueMozilla CorporationValid 10341000x8000000000000000345635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.037{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.037{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000345633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.036{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.035{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.035{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.035{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.035{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.035{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.034{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.034{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000345625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.034{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000345624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.489{6820D070-4D64-6323-ED00-000000007502}6140id5-sync.com0162.19.138.83;141.95.98.65;162.19.138.116;162.19.138.118;141.95.98.64;162.19.138.82;141.95.33.111;162.19.138.117;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000345623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.034{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000345622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.488{6820D070-4D64-6323-ED00-000000007502}6140id5-sync.com0::ffff:162.19.138.117;::ffff:162.19.138.83;::ffff:141.95.98.65;::ffff:162.19.138.116;::ffff:162.19.138.118;::ffff:141.95.98.64;::ffff:162.19.138.82;::ffff:141.95.33.111;C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.034{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 22542200x8000000000000000345620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.486{6820D070-4D64-6323-ED00-000000007502}6140id5-sync.com0::ffff:141.95.33.111;::ffff:162.19.138.117;::ffff:162.19.138.83;::ffff:141.95.98.65;::ffff:162.19.138.116;::ffff:162.19.138.118;::ffff:141.95.98.64;::ffff:162.19.138.82;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000345619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.034{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000345618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.130{6820D070-4D64-6323-ED00-000000007502}6140sync.connectad.io02606:4700:10::6816:37ce;2606:4700:10::ac43:8ae;2606:4700:10::6816:36ce;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000345617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.129{6820D070-4D64-6323-ED00-000000007502}6140sync.connectad.io0104.22.55.206;172.67.8.174;104.22.54.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000345616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.128{6820D070-4D64-6323-ED00-000000007502}6140sync.connectad.io0::ffff:104.22.54.206;::ffff:104.22.55.206;::ffff:172.67.8.174;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000345615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.126{6820D070-4D64-6323-ED00-000000007502}6140sync.connectad.io0::ffff:172.67.8.174;::ffff:104.22.54.206;::ffff:104.22.55.206;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000345614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.062{6820D070-4D64-6323-ED00-000000007502}6140tg.dr.socdm.com0124.146.215.46;202.241.208.54;124.146.215.49;124.146.215.44;202.241.208.100;124.146.215.43;202.241.208.55;124.146.215.52;202.241.208.53;202.241.208.56;124.146.215.47;124.146.215.51;124.146.215.42;124.146.215.48;124.146.215.50;202.241.208.52;124.146.215.45;202.241.208.57;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000345613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.034{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000345612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.060{6820D070-4D64-6323-ED00-000000007502}6140tg.socdm.com0type: 5 tg.dr.socdm.com;202.241.208.57;124.146.215.46;202.241.208.54;124.146.215.49;124.146.215.44;202.241.208.100;124.146.215.43;202.241.208.55;124.146.215.52;202.241.208.53;202.241.208.56;124.146.215.47;124.146.215.51;124.146.215.42;124.146.215.48;124.146.215.50;202.241.208.52;124.146.215.45;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000345611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.033{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.033{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000345609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.058{6820D070-4D64-6323-ED00-000000007502}6140tg.socdm.com0type: 5 tg.dr.socdm.com;124.146.215.45;202.241.208.57;124.146.215.46;202.241.208.54;124.146.215.49;124.146.215.44;202.241.208.100;124.146.215.43;202.241.208.55;124.146.215.52;202.241.208.53;202.241.208.56;124.146.215.47;124.146.215.51;124.146.215.42;124.146.215.48;124.146.215.50;202.241.208.52;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000345608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.033{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000345607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.033{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000345606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.032{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000345605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.863{6820D070-4D64-6323-ED00-000000007502}6140imagesync-njrc.pubmnet.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.031{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exeC:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exeMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0trueMozilla CorporationValid 22542200x8000000000000000345603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.860{6820D070-4D64-6323-ED00-000000007502}6140imagesync-njrc.pubmnet.com0162.248.18.11;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000345602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.849{6820D070-4D64-6323-ED00-000000007502}6140spug88000nfc.pubmnet.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000345601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.842{6820D070-4D64-6323-ED00-000000007502}6140spug88000nfc.pubmnet.com0104.36.115.114;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000345600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.830{6820D070-4D64-6323-ED00-000000007502}6140r.casalemedia.com.cdn.cloudflare.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 17141700x8000000000000000345599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:28.031{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.51.98946024C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000345598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.029{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e76539|C:\Program Files\Mozilla Firefox\xul.dll+e6774a|C:\Program Files\Mozilla Firefox\xul.dll+e75602|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000345597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.821{6820D070-4D64-6323-ED00-000000007502}6140r.casalemedia.com.cdn.cloudflare.net0104.18.19.126;104.18.18.126;C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000345596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.028{6820D070-4D64-6323-ED00-000000007502}61405612C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x101451C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+9f9b59|C:\Program Files\Mozilla Firefox\xul.dll+7c6334|C:\Program Files\Mozilla Firefox\xul.dll+1a7fd3f|C:\Program Files\Mozilla Firefox\xul.dll+12cb5|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+127e7|C:\Program Files\Mozilla Firefox\xul.dll+9e0231|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.028{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.028{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000345593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.807{6820D070-4D64-6323-ED00-000000007502}6140usersync.gumgum.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000345592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.027{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000345591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.026{6820D070-4D64-6323-ED00-000000007502}61405840C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\ADVAPI32.dll+189bf|C:\Program Files\Mozilla Firefox\firefox.exe+2bb52|C:\Program Files\Mozilla Firefox\firefox.exe+59d7|C:\Program Files\Mozilla Firefox\xul.dll+203367f|C:\Program Files\Mozilla Firefox\xul.dll+9f4a88|C:\Program Files\Mozilla Firefox\xul.dll+9f2b85|C:\Program Files\Mozilla Firefox\xul.dll+9faa2e|C:\Program Files\Mozilla Firefox\xul.dll+84ead3|C:\Program Files\Mozilla Firefox\xul.dll+17b26ed|C:\Program Files\Mozilla Firefox\xul.dll+17b0967|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+8523f7|C:\Program Files\Mozilla Firefox\nss3.dll+75edc|C:\Program Files\Mozilla Firefox\nss3.dll+8c1d1|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Program Files\Mozilla Firefox\mozglue.dll+1f648|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000345590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.805{6820D070-4D64-6323-ED00-000000007502}6140usersync.gumgum.com03.213.224.199;52.207.45.55;3.214.33.241;54.87.127.173;35.172.99.217;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000345589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.804{6820D070-4D64-6323-ED00-000000007502}6140tg.dr.socdm.com9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000345588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:25.804{6820D070-4D64-6323-ED00-000000007502}6140usersync.gumgum.com0::ffff:35.172.99.217;::ffff:3.213.224.199;::ffff:52.207.45.55;::ffff:3.214.33.241;::ffff:54.87.127.173;C:\Program Files\Mozilla Firefox\firefox.exe 154100x8000000000000000345587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.026{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe104.0.2FirefoxFirefoxMozilla Corporationfirefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="6140.50.53573994\310744709" -childID 47 -isForBrowser -prefsHandle 11560 -prefMapHandle 11600 -prefsLen 31603 -prefMapSize 231974 -jsInitHandle 1100 -jsInitLen 247228 -a11yResourceId 64 -parentBuildID 20220902153754 -appDir "C:\Program Files\Mozilla Firefox\browser" - 6140 "\\.\pipe\gecko-crash-server-pipe.6140" 11608 26128ebba48 tabC:\Program Files\Mozilla Firefox\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2LowMD5=BBF69077780A3C362C8F6545B6B254B9,SHA256=9BA01237719ABB00128CC369D5BEA68E6EB6AFCAA47C4316EED174615B90E2B6,IMPHASH=9AE80BC4D7F699F3663D6FC8FC1CEAF0{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe"C:\Program Files\Mozilla Firefox\firefox.exe" 10341000x8000000000000000345586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.025{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.025{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.025{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.025{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.024{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.023{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.023{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.023{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.023{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.023{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.023{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.023{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.023{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.023{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.022{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.022{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.022{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.022{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.022{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.022{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.021{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.021{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.021{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.021{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.021{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000345561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.020{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 17141700x8000000000000000345560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:28.018{6820D070-4D64-6323-ED00-000000007502}6140\chrome.6140.50.5357399C:\Program Files\Mozilla Firefox\firefox.exe 734700x8000000000000000345559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.009{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000345558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.007{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000345557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:28.005{6820D070-4DFB-6323-3501-000000007502}9452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000189940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:28.617{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3FBC7EEECE6E6F3DEB8401F155EFB0,SHA256=DB610819A0B5F21943B1C682FDA8911431C7DACAE54B381B87F1B4B4448CADF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000345996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.748{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.748{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.748{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.747{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.747{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.747{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.694{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.694{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.694{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.693{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.693{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000345985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.693{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 354300x8000000000000000345984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.696{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62837- 354300x8000000000000000345983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.696{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60451- 354300x8000000000000000345982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.696{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55861- 354300x8000000000000000345981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:27.086{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63503-false199.187.193.192-443https 23542300x8000000000000000345980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.084{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\15358MD5=8B5F523E8A1673DE6C699A6A2CCAE86D,SHA256=095FEB142950AEDCBBDF18A2B926F0F8E57244019236A0CCD8F132DE755DDBAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:29.687{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=386CFBBF8ED14FD6085509BE49AA5950,SHA256=A4764D1E98FFD6625427B89DD18592154C7CDA9ECC5FD163E7FCBEF8356B63E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.922{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.922{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.922{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.921{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.921{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.921{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000346042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.896{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\31867MD5=A5C8A177B775A63157BE087A145F6511,SHA256=9F1A5E5B98BCC5217D3B3D427A17E97C00208D5803A9AA1C28F6C793D2F590EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.867{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.867{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.867{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.866{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.866{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.866{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.816{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.816{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.816{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.815{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.815{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.815{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.517{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.517{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.517{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.516{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.516{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.516{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.449{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.449{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.449{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.448{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.448{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.448{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000346017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.425{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.tutorialspoint.com\ls\data.sqlite-journalMD5=B09C2479F5801E1B3A4A6D66D42DAA1E,SHA256=9DE46467609B309997C7C872F5D1787A0193A66DAB09D7A19BEDB97B06166716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.416{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.tutorialspoint.com\ls\usageMD5=C2C616687D11897E56BF841204DEB6BB,SHA256=F31DF45083A9F4A39EBBC47E02CD8F4D62757DB9018575D1BE39C1362B7557D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.204{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.204{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.204{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.203{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.203{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.203{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.061{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.061{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.061{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.061{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.061{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:30.061{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 22542200x8000000000000000346003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.917{6820D070-4D64-6323-ED00-000000007502}6140cdn.indexww.com.cdn.cloudflare.net02606:4700::6812:d4c;2606:4700::6812:c4c;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000346002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.915{6820D070-4D64-6323-ED00-000000007502}6140cdn.indexww.com.cdn.cloudflare.net0104.18.13.76;104.18.12.76;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000346001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.914{6820D070-4D64-6323-ED00-000000007502}6140cdn.indexww.com0type: 5 cdn.indexww.com.cdn.cloudflare.net;::ffff:104.18.12.76;::ffff:104.18.13.76;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000346000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.911{6820D070-4D64-6323-ED00-000000007502}6140cdn.indexww.com0type: 5 cdn.indexww.com.cdn.cloudflare.net;::ffff:104.18.13.76;::ffff:104.18.12.76;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000345999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.834{6820D070-4D64-6323-ED00-000000007502}6140e9126.x.akamaiedge.net9501-C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000345998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.831{6820D070-4D64-6323-ED00-000000007502}6140e9126.x.akamaiedge.net0104.122.45.12;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x8000000000000000345997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:26.816{6820D070-4D64-6323-ED00-000000007502}6140stags.bluekai.com0type: 5 tags.bluekai.com.edgekey.net;type: 5 e9126.x.akamaiedge.net;::ffff:104.122.45.12;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000189942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:30.882{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F79E4FF68B376894C254BC80451D7847,SHA256=6F951F81B359385FA70785C1A2EEBB5A96EB5ED1012E69658FBAB6C53032CCA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.707{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.707{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.707{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.705{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.705{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.705{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.661{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.661{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.661{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.661{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.661{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.660{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.637{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.637{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.637{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.636{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.636{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.636{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 354300x8000000000000000346056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:29.477{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63489-false198.148.27.140-443https 13241300x8000000000000000346055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:08:31.417{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8c91d-0x6640aa50) 10341000x8000000000000000346054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.343{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.343{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.343{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.343{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.343{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.342{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 354300x8000000000000000189944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:30.375{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49852-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000189943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:32.183{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=103CC1F3D097C2D46228DBC994216F75,SHA256=C608FA3EF1B800DC9D55847F7C03FD83AE143DB499AC86A0DD8C71C93986DC90,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000346076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:31.378{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63504-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000346075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:33.155{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915155514-012MD5=3EE9864ACDFFE78A8B2E0DEDF704C720,SHA256=3E9075B80C33CFA58EAF977E4450D367AD693E429428DFB55B91DE7FD240E49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:33.262{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13EA75300D8B3F930860C29907680F3,SHA256=83211177834D388EFB141CC0381D440373BF886459831E8B64C045E418D94F3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:34.170{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915155511-013MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:34.347{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=584A73D154D7824E93513627E3A876F8,SHA256=38D12ED1B97E57A94A23B1CDF27982385F899655F970236733A481D445009741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:35.401{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=092BF85B734F68161FBFFA4A3D2BC0B4,SHA256=CB81E6C25F82110D443657D048CF38ED8105C934C94B256C803C959D446256C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:36.578{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28A72A1DA370F739C9CD05991D26810,SHA256=0F288CCF6857C9FC88DCFAB7E4743CE223C2DAF6E6A0E882E76216A72AC5F3B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000346080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:35.049{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60092- 354300x8000000000000000346079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:35.048{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61578- 354300x8000000000000000346078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:35.019{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63475-false198.148.27.140-443https 23542300x8000000000000000189950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:37.772{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BB9675EF859F54EDDF50FAFDE503456,SHA256=4644C3E7684ED2B750B1BC41CB07048EAC4C45DF6125CB5D6A98914DAA299AB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000189949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:35.454{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49853-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000346081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:35.050{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57050- 23542300x8000000000000000189951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:38.860{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4C4BC33D20A7EB39DF32EDFBBA54EB3,SHA256=157588930699B285A39DF40A1CC6B28FC1DDE1A8BE6EECD7683A1F9A1335090D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.725{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.724{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.717{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 354300x8000000000000000346104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:37.244{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63505-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000346103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.554{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\3566MD5=DF922317F9F12D44415FA3521F34180D,SHA256=0432AE660022F481FEE8FB1A8D401E9EC942ABFFC070840885B6A8322A190B5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.358{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.353{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.347{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.339{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.332{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.329{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.328{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.326{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.316{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.289{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.282{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.270{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.256{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.240{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.234{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.224{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.218{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.207{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.200{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.165{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.163{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 23542300x8000000000000000189952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:40.055{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47C4203565A7C0733A2B2E94016C04CD,SHA256=FD0E7B4B23866FE1B2A2785CE4804F0598E6BBD94AB6662E082C592B74EF54D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.980{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2701-000000007502}7268C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.980{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2801-000000007502}7392C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.980{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2601-000000007502}7252C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.976{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF7-6323-1801-000000007502}6996C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.976{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2101-000000007502}6760C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.976{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1E01-000000007502}7164C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.976{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF6-6323-1501-000000007502}6864C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.976{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF4-6323-1301-000000007502}3028C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.972{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4D98-6323-0801-000000007502}224C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.972{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DA0-6323-0901-000000007502}6436C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.929{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4D98-6323-0701-000000007502}5152C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.916{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.888{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4D98-6323-0701-000000007502}5152C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.750{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.749{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.746{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.745{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.742{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.738{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 354300x8000000000000000346109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.268{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54769- 354300x8000000000000000346108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:39.267{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62144- 23542300x8000000000000000189953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:41.151{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=110E4CDFC4D83D420E361471D381577F,SHA256=2EE22ECC56CECCEFB3E941A05D9AAD640C21BE195ABCF7B01DE037E9828B41A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000346178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.085{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55517- 354300x8000000000000000346177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.078{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57781- 354300x8000000000000000346176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.071{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59406- 354300x8000000000000000346175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.069{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56583- 10341000x8000000000000000346174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.870{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.867{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.866{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.861{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.857{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.855{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.854{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.852{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.848{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.846{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.843{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.818{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.813{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.805{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.789{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.784{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.778{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.775{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.773{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.771{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.769{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 23542300x8000000000000000346153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.284{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\protections.sqlite-journalMD5=5DC0A1546B3C04A46FBC7337333F5A9D,SHA256=5469E91913FA5325CFE28A6722ACE3AEED1AFBC5B714EF3798E516713937D998,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.264{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.263{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.262{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.261{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.260{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.253{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.134{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2401-000000007502}7216C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.134{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2E01-000000007502}8704C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.134{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3301-000000007502}8236C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.134{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2B01-000000007502}8496C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.134{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2001-000000007502}6756C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.133{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2D01-000000007502}8560C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.133{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3201-000000007502}7028C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.112{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-1D01-000000007502}7048C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.068{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3401-000000007502}8232C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.068{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3101-000000007502}9124C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.068{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF6-6323-1601-000000007502}5640C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.068{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2901-000000007502}7704C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.056{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2201-000000007502}7044C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.052{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-3601-000000007502}9464C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.052{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFA-6323-2C01-000000007502}8504C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.044{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DFB-6323-2F01-000000007502}9096C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.040{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2501-000000007502}7240C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:42.040{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF9-6323-2301-000000007502}7208C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000189955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:42.453{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=239415242478E30B801D91FC0A5D4D88,SHA256=B840984BA0CB7CAA8D69B7360653B7F63B7C5D4EFDD1071019C744B244746BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:42.234{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=200E7D970D5E11F9736470C50B871B44,SHA256=8D633DAF5B233EF424E310A53617A2EEF83597E38D567881BAD1066CD7F73E7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000346185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.681{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63506-false74.119.119.149-443https 354300x8000000000000000346184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.136{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55953- 354300x8000000000000000346183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.132{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63431- 354300x8000000000000000346182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.129{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58967- 354300x8000000000000000346181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.128{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58614- 354300x8000000000000000346180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.127{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64465- 354300x8000000000000000346179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:41.126{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58001- 10341000x8000000000000000189964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:43.980{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:43.974{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:43.966{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:43.949{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:43.942{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:43.933{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:43.931{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 354300x8000000000000000189957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:41.399{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49854-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000189956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:43.432{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4157F8697839146352D4F16236DFCB2,SHA256=BEB2C392417ADE3396914C25B91BDA0ECD37F1FEB115D0116B00163152F2830A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:44.748{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724D884E56B686160D03A43336AF9B98,SHA256=EEC700392E0FCB62784E38A60B457C531070CD0F2579FA2E9C920EB00660CD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.616{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E6A1270F87292DF3B28B54351E1C4EE,SHA256=DAC9A84C11B6AF4052F9D7DD2297BF3162D6293BCA9AA4776D674DA92AF80B4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000189993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.201{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.186{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.167{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.161{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.152{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.144{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.139{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.137{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.135{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.133{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.130{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.129{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.128{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.127{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.126{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.124{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.121{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.117{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.115{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.112{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.105{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.090{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.073{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.070{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.057{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.029{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.019{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.011{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000189965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:44.000{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 23542300x8000000000000000346187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:45.065{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\31164MD5=B7ADA4B84852C209148ABF2845F6A4A0,SHA256=0AB7E9C0C21ECD17C050F85A63E72B4D9551FD07E1D8F3F7030FDF404A2D9AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:45.703{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5757B1371043517213DA53C616BFFD80,SHA256=267369541D011999A072CB705AA2ED2E8811019C823B5EAFF42F7485628CDA91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000346190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:43.236{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63507-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000346189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:46.351{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20AB6F2C8BD5096A3F94AF2E8A2B0644,SHA256=AD2EE29821CAB34FA5A4E3E4E2954689417C7B01DAF23FA1DAA5A243AE8BFB2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:46.018{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\permissions.sqlite-journalMD5=A0246693DF5A5B61975FC53D9943D301,SHA256=3D47DF1AF909C3BA51FCB5DACADBD35E255825DF4C8F0C0F55AF6EC9ED4DA275,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:46.768{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5354704A39E757C5087E00662C2E36C6,SHA256=CE8338728EFFC4D9D4DBC7CA5958F4DBA2DF9622B96E58C8DEBEFC77EBCA1A08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:47.461{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.google.com\ls\data.sqlite-journalMD5=B79C91F6BD62AEBD35CF68A8865A8B42,SHA256=6EE61F94B32710536603AE02FA39C6D92012FDF634EF7EE722F4F73E8C18EBD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:47.453{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\default\https+++www.google.com\ls\usageMD5=22B5AD158BB6723D071FB56BD98F7A95,SHA256=3DDFEBD52DB104A0B54745D9F51543301E886A5AF268C2FA25FB90AE6D59BCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:47.850{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90724A42675CDE0DA144D773EC7B6DB7,SHA256=CCBD0B9D7191638308AA071E67BADA143E91A7B3683CA3CBCD5DF8839BA6208B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:48.564{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=934ADB2EB383D6472D925E4CBFE111F4,SHA256=C198996BB82E3957CDD243A3891D25C3C23AA4A4D2B2818EB445BC5C5824F41B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:48.052{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959943DC1FB1475909574FB6E116FDDA,SHA256=779F9D9E17F7C37AF075D2F34494AD9FD7BA32ED88B605116FF255DBEF1D2015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:48.048{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBDD17A38268F3DBBAC05E9F1345B2B,SHA256=EDED2CC92DB2C2788B836749947A0353A44F6C182B5FA2749BE670D7B7B8D1EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:48.044{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB8B65E72D6D2707C7298B1D5DD65185,SHA256=3542CB9C54C096F75D0FC41B03722127B2CBE41D1EFFCD4B9C09D9B20BF6C468,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000189998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:48.939{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6C9B781D590C6A9EDCE19BF62F3BDB,SHA256=4F076D280269FF111F2CBC3E1A09B9EC02833B5EFB35E32E41F3F5C8182D01DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:49.778{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\indexMD5=2195739B5DCA39FDFA6B241823A4D3F7,SHA256=F630671795DB29F01214422CA79763C12B5B17CD82AD8F8ABF2F943AADD6F1F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:49.774{6820D070-4D64-6323-ED00-000000007502}61404264C:\Program Files\Mozilla Firefox\firefox.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x2200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+27040|C:\Program Files\Mozilla Firefox\xul.dll+e7c824|C:\Program Files\Mozilla Firefox\xul.dll+e7cd17|C:\Program Files\Mozilla Firefox\xul.dll+85d815|C:\Program Files\Mozilla Firefox\xul.dll+85091a|C:\Program Files\Mozilla Firefox\xul.dll+1a629d7|C:\Program Files\Mozilla Firefox\xul.dll+17b18ec|C:\Program Files\Mozilla Firefox\xul.dll+1a88fb4|C:\Program Files\Mozilla Firefox\xul.dll+9e349f|C:\Program Files\Mozilla Firefox\xul.dll+1fc8e|C:\Program Files\Mozilla Firefox\xul.dll+180dd8|C:\Program Files\Mozilla Firefox\xul.dll+17fd52|C:\Program Files\Mozilla Firefox\xul.dll+44a9b51|C:\Program Files\Mozilla Firefox\xul.dll+4511b42|C:\Program Files\Mozilla Firefox\xul.dll+451296c|C:\Program Files\Mozilla Firefox\xul.dll+1f8be23|C:\Program Files\Mozilla Firefox\firefox.exe+19db6|C:\Program Files\Mozilla Firefox\firefox.exe+27d18|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:49.770{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:49.770{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:49.770{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:49.766{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:49.766{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:49.766{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:49.766{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000346197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:49.588{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F01059AC93BB4D0F5885B2B398483B0,SHA256=26874DB2CBAD0AF731E72D59377E3D05B05F888D3DAE828A0D048CD6624C1967,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000346208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:48.342{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63508-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000346207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:50.606{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F3B33DC8650A1E44EC0F5E32C558BC,SHA256=8F1B42FD89E58AB04F9181164FA15D6AD7147CC7151E9D1F3443DB68EF66DF01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:47.391{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49855-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000189999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:50.010{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E7BADBF38BB8D4A160186411B88AAA4,SHA256=5C31F4CD7F3BE8724142BC4EF958F089CEB0652E53F7A37D9D03ECB3011ADDC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:51.616{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1832CB6DEEDDE8EE299B43D300340B9F,SHA256=55973865367F7C7F6D4089E0CA090DFF9350CE760111C8317FADCCAE53055A17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:51.084{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E609C4313F4B4139C5272EF60BD2B710,SHA256=1110552A23FF98022AF0172F9AC50A42F9220A10CC53E6D94A2D4445A2803AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.907{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A806634A2F83821C7FAF8FAC0B84D023,SHA256=57F5C5967003D2B3277BFD1C34312CA97A33DBF7B9ED885B8574633BBD5B3525,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:52.158{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A04892F515807D5BBC969DC96D7B161B,SHA256=8C45AE8B90F6DBB56888BCEACDDED9E7FF6A555CCC8DCF2FBAB7F54A1A794BD7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.021{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000346248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.017{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000346247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.017{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000346246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.017{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000346245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.017{6820D070-4AD1-6323-1500-000000007502}12201384C:\Windows\system32\svchost.exe{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.017{6820D070-4AD1-6323-1500-000000007502}12201256C:\Windows\system32\svchost.exe{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.017{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000346242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.013{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000346241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.013{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000346240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.013{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000346239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.013{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000346238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.013{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000346237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.013{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000346236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.013{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000346235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.013{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000346234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.009{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000346233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.009{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000346232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.009{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000346231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.009{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000346230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.009{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000346229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.009{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000346228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.005{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\imagehlp.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT Image HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationIMAGEHLP.DLLMD5=E1C665DC0FD5A7423B0C0F5325A1027F,SHA256=8B84BE9335EF640ABAA8E8BBA45C6BC77F2251359D4BCC157235CB4BC107AE69,IMPHASH=C88C4D131D277C03F0879B4E0D5679DBtrueMicrosoft WindowsValid 734700x8000000000000000346227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.005{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000346226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.005{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000346225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.005{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000346224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.005{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000346223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.005{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000346222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.005{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000346221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.005{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000346220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.005{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000346219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.005{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000346218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.001{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000346217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.001{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6CtrueMicrosoft WindowsValid 10341000x8000000000000000346216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.001{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.001{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.001{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.001{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.001{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000346211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.001{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+265d2|c:\windows\system32\rpcss.dll+4233d|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000346210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:52.002{6820D070-4E14-6323-3A01-000000007502}9496C:\Windows\System32\rundll32.exe10.0.14393.4169 (rs1_release.210107-1130)Windows host process (Rundll32)Microsoft® Windows® Operating SystemMicrosoft CorporationRUNDLL32.EXEC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2HighMD5=23DB802097F7B7E520E40068A7E68B14,SHA256=28DE7D3E8BF4B19E44063A4BFC2E7C30AE488CD9A1F63320ED374E14AAECA667,IMPHASH=7D1CE1BAFE48B63D9D19E8E0E5DF3E6C{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000346252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:53.964{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FBDEFFBFCBCE4CB787CC19EF139605E,SHA256=B576561D7442FF492DB1D30CFFEB431EBA7B626417046AEFF9EA46D2B372CFE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:53.355{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F0AD1F5F0661BBE0D407916FEC91849,SHA256=D03E54B5640C70E53C688AC27A0F162660B94737BE9D2A1191EE40E91904E61A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:53.099{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1216EF4E6D36756B058895C81104E601,SHA256=4ED20B89908E1F4A7C9D0BB60B8D8A4F0B3B2B8B16FEB5391DB501537D730BBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:54.978{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73685F17DF86A40E9541506F20DE99C9,SHA256=8D69983E2151372811810BE53938E6AC020C1693E680112F5A8180F36AC6A25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:54.535{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796317D3DE908DD5407CC2A0E4F7DA65,SHA256=E2941F78B8FFDB71845412A9528F22C0085E30C3C067948BFC07BB78C55FABE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:55.991{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4599B3B836D03369E6EC00B21205BD7,SHA256=BC5E2B1C935620B85BB2E5ABC59600EBF1BE0BE9F55596CA7C6EC95138B9D01B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:55.613{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A3A2F39897F4F1359984FDC97BFCAD7,SHA256=6D9B9ED96E8F237110C659141F131DC80C4FCD925F61BE47616120C69695F9CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000346255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:53.690{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A62172- 354300x8000000000000000346254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:53.448{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63509-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:56.689{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D260456746E0F2534A43A2A0866BD92,SHA256=D3BB7EBFFBD20AAB70A505813BF7C3F4E7E1DA7C9DB5D83719284C436EAD07DE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:53.325{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49856-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:57.773{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2AB58901612A7A8E8B8A8077C0524D,SHA256=45F711111275344AA2A589EBE540298917F3AB66950A425AC065C649D9D5C935,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.986{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.979{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.979{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000346309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.715{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000346308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.715{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000346307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.715{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\coreclr.dll6,0,21,52210 @Commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6Microsoft .NET RuntimeMicrosoft® .NETMicrosoft CorporationCoreCLR.dllMD5=E2FACF2F73C251FCF034BFE926A44893,SHA256=2D52B48020B91C661C3C9CE0970F525ED2C0E1723669FFDBD8460F6532FADF54,IMPHASH=33015E36A96617B4B11824371A68A2FDtrue.NETValid 734700x8000000000000000346306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.638{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\hostpolicy.dll6,0,21,52210 @Commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6.NET Host Policy - 6.0.0Microsoft® .NET FrameworkMicrosoft Corporation.NET Host Policy - 6.0.0MD5=B7B65B552E6CE21529611B55A52CA104,SHA256=D8B768FE1784B1FCC5648669DC2BEF0C84C9A6219A4C7ED185A9FAF385C19350,IMPHASH=761C2F542982EB2D9490FFF2D186431Atrue.NETValid 734700x8000000000000000346305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.614{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\hostfxr.dll6,0,21,52210 @Commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6.NET Host Resolver - 6.0.0Microsoft® .NET FrameworkMicrosoft Corporation.NET Host Resolver - 6.0.0MD5=22360C3D2CD8F036ACEB6BB2D647DE28,SHA256=BEFA74AB5C3C92CED6E339DF5C97FD5F2CACC27FDD2F98B021FC63301EAC81B9,IMPHASH=842E74F1E5BCF2B7DBFF6C5965847D3Atrue.NETValid 734700x8000000000000000346304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.599{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000346303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.599{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7,IMPHASH=8B861EA72FDD6FC722328B2746B13380trueMicrosoft WindowsValid 734700x8000000000000000346302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.594{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000346301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.594{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000346300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.594{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x8000000000000000346299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.594{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000346298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.594{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=1B90C58145F4B3C0743C470793469AD6,SHA256=21D752964E10DBB4DFC589856AA808D31E301B93C9E5FF6D1655D32FBD00AF44,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x8000000000000000346297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.594{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x8000000000000000346296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.594{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000346295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.594{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=9629C30BA0F10D72FD189FCA987B0E29,SHA256=4DDAF3BB8CE239A8AD41F333AE7D2AD6B7763B9ED8B862695B67F60E5ADE031C,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 17141700x8000000000000000346294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:08:57.718{6820D070-4E19-6323-3B01-000000007502}6844\dotnet-diagnostic-6844C:\Users\Administrator\Downloads\dnSpy.exe 734700x8000000000000000346293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.715{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 734700x8000000000000000346292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.594{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x8000000000000000346291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.594{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000346290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.590{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=8B516F883167509677B58B9984D8EEA2,SHA256=47F9B88E4038517FC8C5FEB3AC04B21A885EE505143952C96A23FE851869A90E,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000346289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.590{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000346288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.586{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000346287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.586{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000346286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.586{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=25ADC994F9AF8716E35487995DDB45CE,SHA256=47B573E7708AAA00F2BE6E8EB7F3CB1B4817E65FACBBB1D772970A8F710DAF61,IMPHASH=6E1D0A92C1917EFBFC1EEA82FA5E155FtrueMicrosoft WindowsValid 23542300x8000000000000000346285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.634{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1D89D26C47721E8C15A4AC13D6EE1D13,SHA256=9053C8C62E1881458823A9B1461AB23F20A1826FBD4076E31869139946CE60FF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.582{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000346283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.586{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000346282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.582{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=B04953E4C38042AD2628FA49AB42AB5C,SHA256=7B2B4662D3EE0D6DD673C0FEEE4B28E2E16ABF534DF3076497C6B6B40E8BE9C1,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000346281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.599{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000346280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.599{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000346279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.599{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000346278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.599{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6CE01AB1C2063B171AD7432B130FEBBD,SHA256=F554E9818C54F6C760C6E53BAEABCA3F5CAD683C028460307F3D93C7A8B06F02,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000346277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.594{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B05DBB473918152F51A7F5A10FE250C7,SHA256=85EA95E8D8B1123288E84E5DC8502584288D67B2C692B118411F37774479498B,IMPHASH=A7A8E1C7D8A348EDDDA81702A2FEC068trueMicrosoft WindowsValid 734700x8000000000000000346276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.594{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=65BF71AD92E68AC9BCDFA13C5FF0959D,SHA256=14FDD181EF550EAE500F4B617877BD2DC04827704704A56DCF30446AEEA2882A,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 734700x8000000000000000346275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.582{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy.exe6.2.0.0dnSpydnSpydnSpydnSpy.dllMD5=601BD36E59620AE5EC97C3DFB81B5202,SHA256=D5D1BD64C251D567F0340F89B0355F750284F34168BA64F40033D1494DEE1348,IMPHASH=FFFF45487D1E51FA972C8409931457DFfalse-Unavailable 734700x8000000000000000346274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.586{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000346273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.586{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000346272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.586{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000346271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.582{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000346270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.582{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000346269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.582{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 10341000x8000000000000000346268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.582{6820D070-4AD1-6323-1000-000000007502}4286492C:\Windows\System32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.582{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000346266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.582{6820D070-4AD1-6323-1000-000000007502}4281028C:\Windows\System32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.578{6820D070-4AD1-6323-1000-000000007502}4281028C:\Windows\System32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.566{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.566{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.564{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.564{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.564{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000346259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.564{6820D070-4B7F-6323-9900-000000007502}29729620C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e73b|C:\Windows\System32\windows.storage.dll+16e451|C:\Windows\System32\windows.storage.dll+16e09e|C:\Windows\System32\windows.storage.dll+16f340|C:\Windows\System32\windows.storage.dll+16ddee|C:\Windows\System32\windows.storage.dll+fce8d|C:\Windows\System32\windows.storage.dll+fd5cc|C:\Windows\System32\windows.storage.dll+fc930|C:\Windows\System32\windows.storage.dll+16650a|C:\Windows\System32\windows.storage.dll+166262|C:\Windows\System32\SHELL32.dll+9cafd|C:\Windows\System32\SHELL32.dll+9b696|C:\Windows\System32\SHELL32.dll+8dfa9|C:\Windows\System32\SHELL32.dll+cf48e|C:\Windows\System32\SHELL32.dll+157b8c|C:\Windows\System32\SHELL32.dll+1578e3|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000346258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.559{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe6.2.0.0dnSpydnSpydnSpydnSpy.dll"C:\Users\Administrator\Downloads\dnSpy.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2HighMD5=601BD36E59620AE5EC97C3DFB81B5202,SHA256=D5D1BD64C251D567F0340F89B0355F750284F34168BA64F40033D1494DEE1348,IMPHASH=FFFF45487D1E51FA972C8409931457DF{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000346257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.005{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=391D5EA3C33D2CC3F3492451114FFC2C,SHA256=8E91FA0EF5A6FDF75E20D9ACEF30A703E57CB5251DB289801A2FD57D7B8EECB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:57.362{E743DC12-4AD0-6323-1100-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4B90B59623DA42051D0FBFFB88A2EFE0,SHA256=E87530A0A70EF1102C6BD460A33AFCC8C507ADBD114D51E4C8FEBE438681EFE9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:53.751{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49857-false13.107.4.50-80http 734700x8000000000000000346353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.851{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6D,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 734700x8000000000000000346352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.847{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Private.Uri.dll6.0.21.52210System.Private.UriMicrosoft® .NETMicrosoft CorporationSystem.Private.Uri.dllMD5=25253137421362E716393516A93AE580,SHA256=3144A8D867A9D6C8C7D55F7F3D349749ED6A4718B2AF1140FD34E025A37EED21,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.841{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationNative_cor3.dll6,0,21,48001 @Commit: bf6f24c075ff5315d0ec0e5359138ee796b0491cPresentationNativeMicrosoft® .NET Framework-PresentationNativeMD5=20F783E735E2E6FF39D6AC12BD9CA154,SHA256=5E621C3D9EEEA75FCBB6C67FD13E2EB8458E6B1CE1074A5EBC7757677A517F5A,IMPHASH=4A000984DE0F3CF8BAC6CA36DF0ECBD4true.NETValid 734700x8000000000000000346350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.819{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.InteropServices.RuntimeInformation.dll6.0.21.52210System.Runtime.InteropServices.RuntimeInformationMicrosoft® .NETMicrosoft CorporationSystem.Runtime.InteropServices.RuntimeInformation.dllMD5=EEF90066DCC508F3C522B0256E0A9331,SHA256=0B4200F3BD5B43BAC52B67E6FF0551719F8A872130A40B73147AF53D235C45EB,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.815{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.Specialized.dll6.0.21.52210System.Collections.SpecializedMicrosoft® .NETMicrosoft CorporationSystem.Collections.Specialized.dllMD5=1854CDF013502FCCB49D0B3F38AAB283,SHA256=3468C8668B6C841BC171EB7A0C86DA8A7C89864A872B09D78671487393FA27B9,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.811{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Configuration.ConfigurationManager.dll6.0.21.52210System.Configuration.ConfigurationManagerMicrosoft® .NETMicrosoft CorporationSystem.Configuration.ConfigurationManager.dllMD5=A67D63BCF77D9C44BAB958ABD1A18473,SHA256=77019CC0047EDEBCDEC7D56A37ADB24627778752705F57022857636E1DE13960,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.787{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.Thread.dll6.0.21.52210System.Threading.ThreadMicrosoft® .NETMicrosoft CorporationSystem.Threading.Thread.dllMD5=836DD9968E19E8F76D08B95FE6B8D0B9,SHA256=79D7781DF83DC99D832DA5FF21203A6E1B4B20350E00A9B072A8D1FCD458F7DC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.783{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.Primitives.dll6.0.21.52210System.ComponentModel.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.Primitives.dllMD5=C07991C8EB3B098CA704B90C0D3243C1,SHA256=83D450B9AC66E23978314CADA04E3B59D040403EB32E3046420F66B406D44EE4,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.779{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.dll6.0.21.52210System.CollectionsMicrosoft® .NETMicrosoft CorporationSystem.Collections.dllMD5=2BFBB37DAE7C0B7B8A4F67A23E527B9B,SHA256=FD5BFB02BA216AB7F404BF0F0F4F8B9268538641F26C4B2BECB71BC053626EFC,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.767{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\UIAutomationTypes.dll6.0.21.52301UIAutomationTypesUIAutomationTypesMicrosoft CorporationUIAutomationTypes.dllMD5=C09571FD711E08331AA3FE4D12FD41C3,SHA256=546E9C600A3DAEB536CB430A523B03C27D4E24CB4D3D10D86831363C494B615A,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.741{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Xaml.dll6.0.21.52301System.XamlSystem.XamlMicrosoft CorporationSystem.Xaml.dllMD5=3659250C6181F537E3D286B78BBFB764,SHA256=7668E12AAE5B47BAA62F396B33B106ECD35F7D2A77AA264AC88C66696E990CBD,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.711{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.dll6.0.21.52301PresentationFrameworkPresentationFrameworkMicrosoft CorporationPresentationFramework.dllMD5=7A02A4EFAA1916DD6F6F0B9EC829ECEF,SHA256=2C78924D2005AFC81AA01FAF0D3606BA0AD27B9CAAB21C86742948C93880AEC1,IMPHASH=00000000000000000000000000000000true.NETValid 23542300x8000000000000000346341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.783{6820D070-4AD1-6323-1100-000000007502}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=2B3459219531C5006DCA6255BB76450B,SHA256=21EB16B83033CF5D326A95545E5DB45A77449C991148C98F3344809C90620ABC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000346340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:56.500{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A60847- 23542300x8000000000000000346339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.667{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD10A6FCEBFE39AB8A17F818F75F9FB7,SHA256=B8701EB9F26AB872C399C1172BD4DDF1118A1142F493EE8EDE7AED786C0DE248,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.470{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.NonGeneric.dll6.0.21.52210System.Collections.NonGenericMicrosoft® .NETMicrosoft CorporationSystem.Collections.NonGeneric.dllMD5=D5F39EB8998748FE4240FDDB4A4ED075,SHA256=488CD734D2731BD94131D6B334B57548051CE95F81C1E560E1D64761D02CA8BB,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.466{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=40E6DDAF1D9B1EE5982EE386E7CF2CCD,SHA256=9640D39690AF9B66334565B41BD6C71350B49E6C99FBDF0107316A31830CC3B8,IMPHASH=A304C1ECFEFBD3A520A9945E2188D759trueMicrosoft WindowsValid 734700x8000000000000000346336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.436{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.Primitives.dll6.0.21.52210Microsoft.Win32.PrimitivesMicrosoft® .NETMicrosoft CorporationMicrosoft.Win32.Primitives.dllMD5=39943DFE6BB6C26051F6E4F6D058E865,SHA256=592F60777AEB358863EA732852F6C1D5F5852E686C6CB01F24E7C5C21F75BAEB,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.429{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.dll6.0.21.52210System.ThreadingMicrosoft® .NETMicrosoft CorporationSystem.Threading.dllMD5=3B6EE7360075D0DA62155681EDBD07DF,SHA256=04871B7FAA29EB95C36F7A70610CBCC9E9AA6A99120D4C17FBD16107C2B7ECAC,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.422{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Debug.dll6.0.21.52210System.Diagnostics.DebugMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Debug.dllMD5=7EFA152A06CB91E1723E4D6AC0357B41,SHA256=FA6FA137CB312A00346D96ED50BDD463FCD0A258989039D483977D51291C939A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.414{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.CompilerServices.VisualC.dll6.0.21.52210System.Runtime.CompilerServices.VisualCMicrosoft® .NETMicrosoft CorporationSystem.Runtime.CompilerServices.VisualC.dllMD5=482D945DA223937EB9E12EC6A5D4698A,SHA256=53C4233385A613EF20014C46A91480553BCE7886FE0E7E85B9B056876C4E694C,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.406{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.InteropServices.dll6.0.21.52210System.Runtime.InteropServicesMicrosoft® .NETMicrosoft CorporationSystem.Runtime.InteropServices.dllMD5=9F3143CED52097B0A2957A8BE7145A3C,SHA256=A76486D3A29BD3D701DA262AF0EFAB75696F5370E38E9259A051FCE2D51B6B6B,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.402{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Extensions.dll6.0.21.52210System.Runtime.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Extensions.dllMD5=040B9847AF56ECD80DE4FED9303727F3,SHA256=D8C2A863239F9042F1E65F3C3563E8B3A9509A33345E3A800328DB84885DA52E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.398{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\DirectWriteForwarder.dll6,0,21,52301 @Commit: 3f75a67c752a116de292affae29a22bbb5b71b18DirectWriteForwarderMicrosoft® .NET Framework-DirectWriteForwarderMD5=3683B801DB70E9D96064D724A462FB80,SHA256=A14ECB1D297220D44C611C1CC8C75E3AC856CE4BEE98FF0366B09C713F557E80,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.382{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\WindowsBase.dll6.0.21.52301WindowsBaseWindowsBaseMicrosoft CorporationWindowsBase.dllMD5=2A168C5013C095473BF9775000A45CB6,SHA256=E583D38EE46F51C48FFE0E6A89B9F46EC194A7271886D4CCEB815D0C28F8FAE1,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.344{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationCore.dll6.0.21.52301PresentationCorePresentationCoreMicrosoft CorporationPresentationCore.dllMD5=C8AC6700FE19D988956A0C16B0ECB1FE,SHA256=A599CEF5F3F0D9C7826E82494D83043B2419BBF96A1BD1E93E70890FEE0F16A4,IMPHASH=00000000000000000000000000000000true.NETValid 23542300x8000000000000000346327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.366{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC28C77D9E3374DDC0EAE901DED06276,SHA256=AFB516AA2A011020DCD724DF17FD9F2180127C0C61DE74CE5D21222F8F9B9E0F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.127{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\netstandard.dll6.0.21.52210netstandardMicrosoft® .NETMicrosoft Corporationnetstandard.dllMD5=2A71DC426DD2233C09557AA5080C2728,SHA256=B327E1C2E0D91150ED8D96D958C3F605BBE197DE6458D8E45901FADD3CF439F1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.116{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnlib.dll3.5.0.0dnlib (thread safe)dnlib0xd4ddnlib.dllMD5=0B803121812D241F8FC1B8E53E8E965B,SHA256=ECF5D926A965B89F1427514EF03DF543A48FD26464CA5D6EB27EB0A7E3D7AA5A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.087{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Tracing.dll6.0.21.52210System.Diagnostics.TracingMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Tracing.dllMD5=C82FD113C35576BC608EE13460AC7DE6,SHA256=8A87E2AB0BBFC3EE4BDB0FF5303227183D46661A2F73DBB598A7240341217B3F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.082{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.DnSpy.dll6.2.0.0dnSpy.Contracts.DnSpydnSpy.Contracts.DnSpydnSpy.Contracts.DnSpydnSpy.Contracts.DnSpy.dllMD5=96B94DB45C774280FA3E5380F19BAF73,SHA256=A1F2EA0B03E0C6BC2E68F7B4276C165B0B00872A3FB2989C913EEECF470608A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.055{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.dll6.0.21.52210System.RuntimeMicrosoft® .NETMicrosoft CorporationSystem.Runtime.dllMD5=5DDDA9B5710F5C90C29696AEAC0EF6BB,SHA256=E39B9A9384B8D108D4DD447586E2C9104255B5B3B6A8B491AA2F8CC3DE017A49,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.020{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.dll6.2.0.0dnSpydnSpydnSpydnSpy.dllMD5=DEA0738CCCA15F581AC879F61DD01C2B,SHA256=90964FA6F7FCC82C95D995D94C3F23248B2D471E2FFAF56378234FA4EFD90286,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 734700x8000000000000000346320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.956{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\clrjit.dll6,0,21,52210 @Commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6Microsoft .NET Runtime Just-In-Time CompilerMicrosoft® .NETMicrosoft Corporationclrjit.dllMD5=8E8CC90EB531C0E33F5B6B00F4DABA67,SHA256=266CDA8125B98EE9B95B0A5A952982163DE3FFD42BB0FA7CB3D09D8C9F282BAF,IMPHASH=548C91713A58B402BCB54FA5F1BD6650true.NETValid 10341000x8000000000000000346319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.057{6820D070-4AD1-6323-1500-000000007502}12201384C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.056{6820D070-4AD1-6323-1500-000000007502}12201256C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.056{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x8000000000000000346316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:57.908{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll6.0.21.52210System.Private.CoreLibMicrosoft® .NETMicrosoft CorporationSystem.Private.CoreLib.dllMD5=CEB531F02904C027960273F98BAE9C41,SHA256=CE8E92CACC5DBEEF25D046707ABEDAD5501378020041D23E5F42134CFE651883,IMPHASH=00000000000000000000000000000000true.NETValid 10341000x8000000000000000346315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.032{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.032{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.032{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000346462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.994{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.961{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\D3DCompiler_47_cor3.dll10.0.19041.685 (WinBuild.160101.0800)Direct3D HLSL Compiler for RedistributionMicrosoft® Windows® Operating SystemMicrosoft Corporationd3dcompiler_47.dllMD5=CD8A3BE4D5871171FD0B107132D97BE8,SHA256=4A62063A3C7EFCF0FAA3800A93FCD26728EF753D3B83BC919C12CEBFB582F0F0,IMPHASH=131726669BC1E34B495EDB4198D0ACA3trueMicrosoft CorporationValid 734700x8000000000000000346460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.913{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\wpfgfx_cor3.dll6,0,21,52301 @Commit: 3f75a67c752a116de292affae29a22bbb5b71b18wpfgfxMicrosoft® .NET Framework-wpfgfxMD5=19D5F4E19D8657467439D26CE5232DDD,SHA256=8B051A41EF5AABFD72763B821F1D505CA0D346DC1AB172F6DC9ECE7B04F8A48B,IMPHASH=BAFC7F8C0766264F38AC860C76DB0B07true.NETValid 734700x8000000000000000346459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.885{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Metadata.dll6.0.21.52210System.Reflection.MetadataMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Metadata.dllMD5=DF8A09B47729B6E54B8748714C4ED452,SHA256=E9A717957C62236DD979750CE648DC8E981311F16B5E3DBC5405426CBC1414AB,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.861{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.ExpressionEvaluator.dll1.0.0.0Microsoft.CodeAnalysis.CSharp.ExpressionEvaluatorMicrosoft.CodeAnalysis.CSharp.ExpressionEvaluatorMicrosoft.CodeAnalysis.CSharp.ExpressionEvaluatorMicrosoft.CodeAnalysis.CSharp.ExpressionEvaluator.dllMD5=C3BE86B4C421F56A3EE092500F64D1F9,SHA256=A338F25B43324110CBA2139CA099930AC85457C858AEEF6928CB97DF489C6E50,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.857{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Mono.Debugger.Soft.dll4.0.0.0Mono.Debugger.Soft.dll--Mono.Debugger.Soft.dllMD5=7F9287B3876F45986DB4DE9CDF590FEB,SHA256=BB19F4ADE7180960C032F13B0A70B33EDED6B4F232CFD51F09BDB38F8F5B1CEF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.853{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.dll1.0.0.0Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluatorMicrosoft.CodeAnalysis.VisualBasic.ExpressionEvaluatorMicrosoft.CodeAnalysis.VisualBasic.ExpressionEvaluatorMicrosoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.dllMD5=4E26A0D0497E9B432192AE0BDBFFAB1D,SHA256=4C87EDB4FF74DF1E2475054CA7FF00AA0CB11ED60202F3B8F2B4E9476C0F47B7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.849{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.dll6.2.0.0dnSpy.DecompilerdnSpy.DecompilerdnSpy.DecompilerdnSpy.Decompiler.dllMD5=E0EB1409207D2B9695C86C72A9A87C1D,SHA256=8CFE306412B4D8DD03B6AA9FCF8A870F11514DD598D89EA09CF1DEA7278FAF76,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.842{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.Core.dll6.2.0.0dnSpy.Decompiler.ILSpy.CorednSpy.Decompiler.ILSpy.CorednSpy.Decompiler.ILSpy.CorednSpy.Decompiler.ILSpy.Core.dllMD5=4F0ED164A2E674B9CF19FCAD538DD2A8,SHA256=71EACA8BBC4D887525FE86A770D00D6FB69FBF431E0317D2682FCA7D16BA9816,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.842{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.Internal.dll1.0.0.0dnSpy.Roslyn.InternaldnSpy.Roslyn.InternaldnSpy.Roslyn.InternaldnSpy.Roslyn.Internal.dllMD5=83AAE20C78911A9E76C6C26F79B69928,SHA256=5AB81CAF72FFD2A21C59EB94926AAFBC2FBCEB31EAAFE581F69E42EBE7D1C40F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.839{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Interpreter.dll6.2.0.0dnSpy.Debugger.DotNet.InterpreterdnSpy.Debugger.DotNet.InterpreterdnSpy.Debugger.DotNet.InterpreterdnSpy.Debugger.DotNet.Interpreter.dllMD5=80E8A0AB7E9FB61EA11B69A9D05CE2F8,SHA256=12770EDE0DC53FE6B8D8C04EBA86D8D76421E1EA63D15E751E4D2C28B98DA334,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.836{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.dll6.2.0.0dnSpy.Contracts.Debugger.DotNet.CorDebugdnSpy.Contracts.Debugger.DotNet.CorDebugdnSpy.Contracts.Debugger.DotNet.CorDebugdnSpy.Contracts.Debugger.DotNet.CorDebug.dllMD5=8A66D528C4032948391D9279B4FBCA7C,SHA256=216CF81D33D53D8643DD838AD67E303BD502B9F1008D18DC9896164C093D915E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.834{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.Mono.dll6.2.0.0dnSpy.Contracts.Debugger.DotNet.MonodnSpy.Contracts.Debugger.DotNet.MonodnSpy.Contracts.Debugger.DotNet.MonodnSpy.Contracts.Debugger.DotNet.Mono.dllMD5=2E41332FA869D94289B7D0F4B527D535,SHA256=49916D030C6C4B64D5F600DFD9EF82F77ED9F5A4E4CE1E5DDDC328DB0C46AD6F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.831{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.Decompiler.dll2.4.0.0ICSharpCode.DecompilerICSharpCode.Decompileric#codeICSharpCode.Decompiler.dllMD5=49546DA1624C7DD035610BC873B805D2,SHA256=3227C3D97F4E72D050FD1C7489AF73A152A71685F20259479456F5E72B6B88E0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.820{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.Scripting.dll4.100.22.11411Microsoft.CodeAnalysis.ScriptingMicrosoft.CodeAnalysis.ScriptingMicrosoft CorporationMicrosoft.CodeAnalysis.Scripting.dllMD5=9DAC579574D4A584C9FAA2CE069C72DC,SHA256=922E63F0A6DEFE5E91F49D37C5D850B068B814716CC88717DB84B971EF7B0FF0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.812{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.ExpressionEvaluator.dll1.0.0.0Microsoft.CodeAnalysis.ExpressionEvaluatorMicrosoft.CodeAnalysis.ExpressionEvaluatorMicrosoft.CodeAnalysis.ExpressionEvaluatorMicrosoft.CodeAnalysis.ExpressionEvaluator.dllMD5=29ED82A333B07338E488092EAC8386E5,SHA256=6C872F450B3E7E30E09770EED605DA993E57DB6C0DC83537E5C8070855A97053,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.808{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Drawing.Primitives.dll6.0.21.52210System.Drawing.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Drawing.Primitives.dllMD5=5AE6A1091BD1147025C08AB08CD311B7,SHA256=A5AFBC45932CA897078CE8C3724D505AABCD83283599C5AB6C8A2440F4355ECE,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.804{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.SystemEvents.dll6.0.21.52210Microsoft.Win32.SystemEventsMicrosoft® .NETMicrosoft CorporationMicrosoft.Win32.SystemEvents.dllMD5=0440D9F939D0FDD4FC2040FABAB3859D,SHA256=6C3E08963E20CCE095FBF02789C7D35390E2D834B2A8E46064CE060D48AE52A4,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.804{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Iced.dll1.17.0.0IcedIcediced project and contributors <https://github.com/icedland>Iced.dllMD5=83224DF19D221DC0D4B0C8125D7C978F,SHA256=0763EAF4A7A3A7798DEB16F7138D454062868914A5226EF2BF512D3D19662714,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.764{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Windows.Forms.dll6.0.21.52301System.Windows.FormsMicrosoft® .NETMicrosoft CorporationSystem.Windows.Forms.dllMD5=F4149173A305B8701477D0175E6C814D,SHA256=B9AEAFE5A5F45AEBA4E4BD4E16BECF4F54BE536BB1C8914C292A8978FA76744A,IMPHASH=00000000000000000000000000000000true.NETValid 10341000x8000000000000000346442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.640{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.639{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.635{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.592{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.Features.dll4.100.22.11411Microsoft.CodeAnalysis.FeaturesMicrosoft.CodeAnalysis.FeaturesMicrosoft CorporationMicrosoft.CodeAnalysis.Features.dllMD5=41A8D32C5428DFA29B7E837B89BB36BC,SHA256=E619919D846A23E0D1DAA6515D289235F09F5EE69B1D7AF6DC78E2C285160F00,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.535{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Metadata.dll6.2.0.0dnSpy.Debugger.DotNet.MetadatadnSpy.Debugger.DotNet.MetadatadnSpy.Debugger.DotNet.MetadatadnSpy.Debugger.DotNet.Metadata.dllMD5=D615F14F9082D129B42D61C4AE722E01,SHA256=ABCB6CC22DC28F0C11936B11876A09C274E293B90AC78D6D20C7AE56F2EEB46E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.515{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.Workspaces.dll4.100.22.11411Microsoft.CodeAnalysis.WorkspacesMicrosoft.CodeAnalysis.WorkspacesMicrosoft CorporationMicrosoft.CodeAnalysis.Workspaces.dllMD5=DDA30387CE2B0C4C3C984FE0688CD362,SHA256=1D5D85EF6F5A1D21F0A2B6D630DB9809E4F312048E6D0392D73BFEF5FCF7CBE0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 10341000x8000000000000000346436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.534{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.471{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.Aero.dll6.0.21.52301PresentationFramework.AeroPresentationFramework.AeroMicrosoft CorporationPresentationFramework.Aero.dllMD5=3B96A446158FD2F2DDF061569C0A864C,SHA256=E7BF8D3F25FEEBA7F40B1F7E9D9FCF628D7A5E28E3E9A83828FF082ED237EBD5,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.460{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.dll6.2.0.0dnSpy.Contracts.DebuggerdnSpy.Contracts.DebuggerdnSpy.Contracts.DebuggerdnSpy.Contracts.Debugger.dllMD5=A3B0A7DB78809411199BD15E8B0CD436,SHA256=52DEBF660F28982C3EFC8735D3CFD1C8DD9755631D1429C902D2DBCCC38C1AFC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.446{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.dll6.2.0.0dnSpy.Contracts.Debugger.DotNetdnSpy.Contracts.Debugger.DotNetdnSpy.Contracts.Debugger.DotNetdnSpy.Contracts.Debugger.DotNet.dllMD5=CAD3FCEBE5BF8CC5B2331594D2D98B92,SHA256=EF0CF304AC7A269955E96B77C0AFFFDCE2C40779657726C047628AB17A4D16F6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.443{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Language.Intellisense.dll15.3.1711.0902Microsoft.VisualStudio.Language.IntellisenseMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Language.Intellisense.dllMD5=0B8EE9C16452E25BA8213164A8C0DF19,SHA256=EE591319B81309F70617C0A444D8B7BC014BD8C86B3A35034748149B8D129554,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000346431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.438{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=AC951CC1306C73767A05F04BFC916CD8,SHA256=5FE28B70168433EF1C6DDE3CB1BE43A1A614508C37BC9C32F2051E5BA341C6C3,IMPHASH=EF37C47ACC74D5DC3737EEE137193A8DtrueMicrosoft WindowsValid 23542300x8000000000000000346430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.444{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A86EB75158D2005EEBDA793B4394C8,SHA256=FD88524D4279AA11FBC116924F84EB07752F097A7DBEAF1A58A16D2B967A9C12,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.419{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.dll4.100.22.11411Microsoft.CodeAnalysisMicrosoft.CodeAnalysisMicrosoft CorporationMicrosoft.CodeAnalysis.dllMD5=91945552F973F723A8394EFF78C5EC81,SHA256=DE51F515D2D8D7515DB4C60F1F40FAE351FAF14A4EEEA68635F19F9EF11EFC92,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.383{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.Composition.dll4.6.26515.06System.ComponentModel.CompositionMicrosoft® .NET FrameworkMicrosoft CorporationSystem.ComponentModel.Composition.dllMD5=868AD071108F7B0ADCEEC2E9FFCD0FE0,SHA256=AB23A9EE4AD84643847865D6E975C6746BD913270DD63E7CA9125E4DC255645F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000346427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.373{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.Data.dll15.3.1711.0902Microsoft.VisualStudio.Text.DataMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Text.Data.dllMD5=EEFA9B065F29C2794AC489244DAFA7B3,SHA256=5AC8022AB982A5C36D64FB30B8115E2E43FACA91768C36AB8BA8B7E93E3DBDE6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000346426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.369{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll6.0.21.52210System.Diagnostics.ProcessMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Process.dllMD5=FF8ED269DA24C8909E4DC53608907DB8,SHA256=001732FFE73963060E449AE0488735C3B7D6403F19ED8A5A4CFE3B38162E1D4E,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.358{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.Tasks.Dataflow.dll6.0.21.52210System.Threading.Tasks.DataflowMicrosoft® .NETMicrosoft CorporationSystem.Threading.Tasks.Dataflow.dllMD5=5FC735EC74E9CC837E59A4B4F190931E,SHA256=D56D0ACE28636F578A33D052B4EB4BF99776309AFC8BF9EE3FB083F67F49C313,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.345{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Serialization.Formatters.dll6.0.21.52210System.Runtime.Serialization.FormattersMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Serialization.Formatters.dllMD5=763E74F3EC45A557B4A7153AF052C8C0,SHA256=4AF14082BB3910CB5438A1FDCC217E4B95FC21EDB586293D88B66EB10B358A86,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.328{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Resources.ResourceManager.dll6.0.21.52210System.Resources.ResourceManagerMicrosoft® .NETMicrosoft CorporationSystem.Resources.ResourceManager.dllMD5=8FF31FA4E34E2E903976BF58A0AD23E7,SHA256=49E7D1C0AD3A52EF869E44FCD782E5843B4079128E0301BA69A48B3A3CCB1787,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.324{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.Tasks.dll6.0.21.52210System.Threading.TasksMicrosoft® .NETMicrosoft CorporationSystem.Threading.Tasks.dllMD5=15089A2485168458FF713F1629F3683F,SHA256=1B54B6551B2DF3469DDA05CD17F43E1F457981EE1F5D89ECE01403441A54738A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.322{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.TreeView.dll4.2.0.8752ICSharpCode.TreeViewSharpDevelopic#codeICSharpCode.TreeView.dllMD5=64ABAA87419FD9D5F4390BFBE0822FE7,SHA256=74B9B8395E999C1024785BA88521248CD39622107FDA6545CEC167A89F41B9A6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.317{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.Immutable.dll6.0.21.52210System.Collections.ImmutableMicrosoft® .NETMicrosoft CorporationSystem.Collections.Immutable.dllMD5=4EB72CD3197832DB3D1DF4F4DC5D57DA,SHA256=581208392C096999DBF244C13C32D83E91476EC51B53D3FAC0EF48060AFFA0B4,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.301{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Scripting.Roslyn.x.dll6.2.0.0dnSpy.Scripting.Roslyn.xdnSpy.Scripting.Roslyn.xdnSpy.Scripting.Roslyn.xdnSpy.Scripting.Roslyn.x.dllMD5=8D9021BA2A12CAAB3A1F56EC70998742,SHA256=5E5B176CD1016185B63BD580E243CE3568A43EC160106A93A5CE8FB85F1691C8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.297{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.x.dll6.2.0.0dnSpy.Decompiler.ILSpy.xdnSpy.Decompiler.ILSpy.xdnSpy.Decompiler.ILSpy.xdnSpy.Decompiler.ILSpy.x.dllMD5=C20D0E8B630FEC6C1FC9530F42BB35A6,SHA256=7C31E252536EC4FACD0BE83B308D4C82BC696A3B47175CE768F76EF0E66193DB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.293{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.x.dll6.2.0.0dnSpy.Debugger.xdnSpy.Debugger.xdnSpy.Debugger.xdnSpy.Debugger.x.dllMD5=EF64004832FB8B6529F2A2A7A5FD46B1,SHA256=7EDBA94D7486F2A3D0D02C1FC6BAE4D2BD192B8402FDD134E18CA4D3396ED4CB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 10341000x8000000000000000346416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.304{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.297{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 23542300x8000000000000000190011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:59.079{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F176C909B1DA963068948C4FBD61DA1,SHA256=0A013BD2908360CBAB88C9F57F18508CE7C81236189789987AD7E8DBF783767C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.292{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.283{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.269{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.x.dll6.2.0.0dnSpy.Debugger.DotNet.xdnSpy.Debugger.DotNet.xdnSpy.Debugger.DotNet.xdnSpy.Debugger.DotNet.x.dllMD5=ED2878B9D2F786DE405EC9CC4A4DB6FB,SHA256=9C7BE7BDEB9BE182539A1721BB28352702474259D829E3373AB951F5BF4DB33B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 10341000x8000000000000000346411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.277{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.260{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Mono.x.dll6.2.0.0dnSpy.Debugger.DotNet.Mono.xdnSpy.Debugger.DotNet.Mono.xdnSpy.Debugger.DotNet.Mono.xdnSpy.Debugger.DotNet.Mono.x.dllMD5=EBED5C954CCE85A54E5B199AFC0FB271,SHA256=2A0A73927E19CEC582AA5AF7CC932EC1AEDFC64047A073ECD8A6CCC2AEDCAC8A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 10341000x8000000000000000346409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.274{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.272{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.270{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.254{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Net.WebHeaderCollection.dll6.0.21.52210System.Net.WebHeaderCollectionMicrosoft® .NETMicrosoft CorporationSystem.Net.WebHeaderCollection.dllMD5=C785181850F0D84351236C3D7DE3A28F,SHA256=20B374286120DA35EA3B2913DB826897292FC7C142477B979A7A6A7BE19E4C40,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.250{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Net.Primitives.dll6.0.21.52210System.Net.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Net.Primitives.dllMD5=2385DBB0768187620F05938F948FE85B,SHA256=E4D471D3286B1A45637CC3B460D87B4C602CFB0BDAFA59E96C290187B134DB8A,IMPHASH=00000000000000000000000000000000true.NETValid 10341000x8000000000000000346404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.262{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.243{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Net.Requests.dll6.0.21.52210System.Net.RequestsMicrosoft® .NETMicrosoft CorporationSystem.Net.Requests.dllMD5=8420307E73415E506DBF06BE0B97A3E7,SHA256=9121E89E437F1DC7C6A2AD241463DCD65E1C33AC836ECE62E554822C325CFD9C,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.235{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.CorDebug.x.dll6.2.0.0dnSpy.Debugger.DotNet.CorDebug.xdnSpy.Debugger.DotNet.CorDebug.xdnSpy.Debugger.DotNet.CorDebug.xdnSpy.Debugger.DotNet.CorDebug.x.dllMD5=B55C01674DFEFC19ABAB5B85AB9A4380,SHA256=85A2AB0C80DBC4082D6D0F7700C1CDBBCF7217313C1ED4A2BC641C7FB443F94B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.219{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.BamlDecompiler.x.dll6.2.0.0dnSpy.BamlDecompiler.xdnSpy.BamlDecompiler.xdnSpy.BamlDecompiler.xdnSpy.BamlDecompiler.x.dllMD5=EC48266ECB5E53436976F4933BE8BD4C,SHA256=484E672C53E7FE673E62B6E946991D51ED8931C2DEF66B5E8B96B9B634D18C9F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 10341000x8000000000000000346400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.240{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.208{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ObjectModel.dll6.0.21.52210System.ObjectModelMicrosoft® .NETMicrosoft CorporationSystem.ObjectModel.dllMD5=24D02E16C185592A3B91C2B44939B100,SHA256=546E77685BA444834ADF82F8FFE2B2D71D2C43E272314C34BA150B9148D65FD1,IMPHASH=00000000000000000000000000000000true.NETValid 10341000x8000000000000000346398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.232{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.203{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.AsmEditor.x.dll6.2.0.0dnSpy.AsmEditor.xdnSpy.AsmEditor.xdnSpy.AsmEditor.xdnSpy.AsmEditor.x.dllMD5=21555769A9489E1DF0349DC9FF02AAAE,SHA256=88978BED6CC52DAC7EDF3952F99DA28D110E40C549E1CF1A88E8E434A3DD1EB7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 10341000x8000000000000000346396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.224{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.216{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.176{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.Concurrent.dll6.0.21.52210System.Collections.ConcurrentMicrosoft® .NETMicrosoft CorporationSystem.Collections.Concurrent.dllMD5=B7D52C2138212B850DD4E232DC36A46A,SHA256=3B5B7C7A98211057CA8D97460C4054844117D2EA9479FDFAED502953C36FAF32,IMPHASH=00000000000000000000000000000000true.NETValid 10341000x8000000000000000346393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.209{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.168{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Analyzer.x.dll6.2.0.0dnSpy.Analyzer.xdnSpy.Analyzer.xdnSpy.Analyzer.xdnSpy.Analyzer.x.dllMD5=37E40820E363C2943F8F38DB49C86D1D,SHA256=E2C12165432FD088F5159FB588457925CB5F25DA0C9B07D2F6537978AAEAB86D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 10341000x8000000000000000346391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.203{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.162{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.dll6.0.21.52210System.ComponentModelMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.dllMD5=59842A083518AD506AB179ADE2AE71CD,SHA256=1BD117D7C9E2AD6285BB704BF363DF4AC72B55F747BBF56E9D042098C35E9EEF,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.158{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Windows.Extensions.dll6.0.21.52210System.Windows.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Windows.Extensions.dllMD5=9078F26D1DAAFBD73E2EB44B94E811DD,SHA256=9638C1FD08FBD30FAE46F089C922670B6C40E456D48974945171FE512A85FEA9,IMPHASH=00000000000000000000000000000000true.NETValid 10341000x8000000000000000346388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.192{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.154{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Private.Xml.Linq.dll6.0.21.52210System.Private.Xml.LinqMicrosoft® .NETMicrosoft CorporationSystem.Private.Xml.Linq.dllMD5=55A9A8898433FDF40A04F03309802075,SHA256=B3A7169165885E8B902C6048F04909C9A2694887538BF60918CDFFB84F8617A3,IMPHASH=00000000000000000000000000000000true.NETValid 10341000x8000000000000000346386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.186{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.144{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Xml.XDocument.dll6.0.21.52210System.Xml.XDocumentMicrosoft® .NETMicrosoft CorporationSystem.Xml.XDocument.dllMD5=9189E11DCB10DC7C15DC9F28FCB97500,SHA256=BE8A5A9BB08CFFADB118D9D2BF851D4EBBD798AF3436194122695B06B7BD0086,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.141{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.TypeConverter.dll6.0.21.52210System.ComponentModel.TypeConverterMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.TypeConverter.dllMD5=1E0E4E82096C2FA5E959ECC931B55BEA,SHA256=89995600F48571DC7206A2125D9F179476B4DF6C47C50F73382DB1179FF945A5,IMPHASH=00000000000000000000000000000000true.NETValid 23542300x8000000000000000346383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.179{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F4C741078022B5D49B3CDD5C126B80,SHA256=C2D7A49C23295B27CCE4058EF2F29385733FED102F941CDA64BBA751DEECA5B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.178{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.171{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.123{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.EditorFeatures.dll1.0.0.0dnSpy.Roslyn.VisualBasic.EditorFeaturesdnSpy.Roslyn.VisualBasic.EditorFeaturesdnSpy.Roslyn.VisualBasic.EditorFeaturesdnSpy.Roslyn.VisualBasic.EditorFeatures.dllMD5=BD737F79DF7D748BA12A961E96F0ED36,SHA256=7BCA32B7500A7870E61BFAB75D90EAA6D23ED981E0A3DD988BE3156AA0C19732,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.121{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.EditorFeatures.dll1.0.0.0dnSpy.Roslyn.CSharp.EditorFeaturesdnSpy.Roslyn.CSharp.EditorFeaturesdnSpy.Roslyn.CSharp.EditorFeaturesdnSpy.Roslyn.CSharp.EditorFeatures.dllMD5=9F9972EDBC7C43F1E1C9474AC3653A0C,SHA256=40067F138670D976676535D5F0D0D57084CC3D1D21CC243BEE0146A894EB74FE,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.119{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.EditorFeatures.dll1.0.0.0dnSpy.Roslyn.EditorFeaturesdnSpy.Roslyn.EditorFeaturesdnSpy.Roslyn.EditorFeaturesdnSpy.Roslyn.EditorFeatures.dllMD5=6C6A2076DA06F4B92E270E5C3F1954ED,SHA256=281564B0813143210B432751BCB3278D729EC8A9B08385F24488C0B7A790BBBD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.117{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.TraceSource.dll6.0.21.52210System.Diagnostics.TraceSourceMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.TraceSource.dllMD5=23963EBDEE54DFEC8D0A4249B0D6F6C6,SHA256=905D61618F4923DAF84424A0A884E9C0B46561DA4BE92B6EEEF7D58807A6C408,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.113{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.UI.Wpf.dll15.3.1711.0902Microsoft.VisualStudio.Text.UI.WpfMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Text.UI.Wpf.dllMD5=73EB6BCE506CB1EEA24B7EAC9016961D,SHA256=AFBB75D4627E03BBC623D431DC60A0369C5F1951DB9F5F204348923FEEFF2420,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000346375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.109{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.CoreUtility.dll15.3.1711.0902Microsoft.VisualStudio.CoreUtilityMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.CoreUtility.dllMD5=2D07B735A69CA36E3F0F38C6387B8E28,SHA256=B89BE2024F64A5EAD3BA16985C42D69C13E58F58745206B9A17B594978754713,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000346374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.107{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\mscorlib.dll6.0.21.52210mscorlibMicrosoft® .NETMicrosoft Corporationmscorlib.dllMD5=43944704C060BEB13A6A59D2AE0A4DB3,SHA256=1FAD257F5FAB87C483C16512280658643C0D2B8947D2A7BBA8B1129BB11072E0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.104{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.UI.dll15.3.1711.0902Microsoft.VisualStudio.Text.UIMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Text.UI.dllMD5=EB52DE9017440E056D47952ABEBE4EF6,SHA256=BB6332D6C685F9AA6F2CA7E2FAB34671CE3138681A978615C85AAB6F8B79DF13,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000346372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.099{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.Logic.dll15.3.1711.0902Microsoft.VisualStudio.Text.LogicMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Text.Logic.dllMD5=02226BF39CB9BA85E52E77F9789C8F07,SHA256=62905B7867D9487B5F1DB82825904D0DFC04ACE5966BEABBFCEE193CCF1C3D8B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 10341000x8000000000000000346371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.139{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.136{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.095{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.dll6.2.0.0dnSpy.RoslyndnSpy.RoslyndnSpy.RoslyndnSpy.Roslyn.dllMD5=E894FA6CEC92DBBD21D60204EF30010B,SHA256=564AB579CE81877E0A77785009A91390B7B28B4C28872B93131EB79315D5A62F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.080{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.ThreadPool.dll6.0.21.52210System.Threading.ThreadPoolMicrosoft® .NETMicrosoft CorporationSystem.Threading.ThreadPool.dllMD5=9840BBA2322F313B5ECC3F354154DED0,SHA256=FBE97ED25B7D8E16B6E31C1096DD5C3FBD57C52F8493D2DD203318AB18C99662,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.064{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.Packaging.dll6.0.21.52210System.IO.PackagingMicrosoft® .NETMicrosoft CorporationSystem.IO.Packaging.dllMD5=DA615D912E394CE4EB9AF1A0059A4B67,SHA256=1DB55A41C5EBA6961C42FD117E05327397A38CC7EE6D43140800A520BF907D62,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.053{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Validation.dll15.5.31.7307Microsoft.VisualStudio.ValidationMicrosoft.VisualStudio.ValidationMicrosoftMicrosoft.VisualStudio.Validation.dllMD5=8E43C497B9A18938E8D320198C097CDE,SHA256=5297CDB7C4BED7A211E32372E5DB0CEC38DB389CDD5D47B661B917B0BCB21C19,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000346365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.050{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Composition.dll16.9.20.46383Microsoft.VisualStudio.CompositionMicrosoft.VisualStudio.CompositionMicrosoftMicrosoft.VisualStudio.Composition.dllMD5=7C2178AB00DCD3293CDC6E802E0630B0,SHA256=C7FC06522F493BB7070EF991FBB9569FD9697EC8676CE8DB00C69351699E5581,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000346364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.040{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Loader.dll6.0.21.52210System.Runtime.LoaderMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Loader.dllMD5=C76DF667CD6B5222575F0F44F5FFA040,SHA256=A229C3349D6A93FECEA7C3905A7843F17C2E718CC1C8455FE5344192816EFECB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.038{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Logic.dll6.2.0.0dnSpy.Contracts.LogicdnSpy.Contracts.LogicdnSpy.Contracts.LogicdnSpy.Contracts.Logic.dllMD5=0B99E2FBD4EA2F5D197AFF054974BE8C,SHA256=145DFCF17BCA921B615C0C9B36CD840122281C02C74645A373E012EE264F465B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.024{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85,IMPHASH=60EA58ED63BD25EC1709F72F112B0086trueMicrosoft WindowsValid 734700x8000000000000000346361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.022{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Linq.dll6.0.21.52210System.LinqMicrosoft® .NETMicrosoft CorporationSystem.Linq.dllMD5=7FB3F6E2FEE95DD6F13BACC74C169518,SHA256=AA688315AA69207C3414778BE7E7784FD454092D88BDA688CBEE708E5D4918BC,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.005{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.Registry.dll6.0.21.52210Microsoft.Win32.RegistryMicrosoft® .NETMicrosoft CorporationMicrosoft.Win32.Registry.dllMD5=DB21B670334DC68D3482D7831897AD97,SHA256=D11BE3A16FF786D384392BA1091AF8927F02BBE63940EDF90989CA6D1A407925,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.991{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Text.Encoding.Extensions.dll6.0.21.52210System.Text.Encoding.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Text.Encoding.Extensions.dllMD5=E4F081F8B18FA697608385114D1C57F9,SHA256=973E762AD8FE034921FE58FCAC859E6CCEB0BB397B1F52709D6CAF11D891A5AA,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.988{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Memory.dll6.0.21.52210System.MemoryMicrosoft® .NETMicrosoft CorporationSystem.Memory.dllMD5=27D7183C28B8EC6B573FCA98E58B40D6,SHA256=AC5E2A48378826E15861C58B098B0C0C02F071EE5781FACF26209B75B264D6B0,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.978{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.EventBasedAsync.dll6.0.21.52210System.ComponentModel.EventBasedAsyncMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.EventBasedAsync.dllMD5=9CC765DD1BD3BF0596778CBE1F8DEDD1,SHA256=36E2AFCE3DCE32F17177C3A1251EE168454967C50CA493CFCB685FB7D07FE4B8,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.975{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Net.WebClient.dll6.0.21.52210System.Net.WebClientMicrosoft® .NETMicrosoft CorporationSystem.Net.WebClient.dllMD5=5300F9FDCD5FE441970963EBC85567EC,SHA256=F8A1B90F32792242AFE8EE2377BC3B89A52EDBC94F5A67B7482609DF284E0E58,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.967{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Xml.ReaderWriter.dll6.0.21.52210System.Xml.ReaderWriterMicrosoft® .NETMicrosoft CorporationSystem.Xml.ReaderWriter.dllMD5=48C48D9A5FC64B5688A44CBA2412F918,SHA256=C9A047960D0AB3FC41A20DEB7AE1AD666132D6A553F06F6E8AE2CCEE308A0196,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:58.965{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Private.Xml.dll6.0.21.52210System.Private.XmlMicrosoft® .NETMicrosoft CorporationSystem.Private.Xml.dllMD5=F6B0A78FF996B24E2256E69555BE0B3A,SHA256=5C980BCE1F226C3A8BDFAC62AC89579C11261C67833B9BF36D5294B8EA19134E,IMPHASH=00000000000000000000000000000000true.NETValid 10341000x8000000000000000346526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.897{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.896{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.896{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.892{6820D070-4B7E-6323-9200-000000007502}45764716C:\Windows\system32\taskhostw.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.889{6820D070-4B7E-6323-9200-000000007502}45764716C:\Windows\system32\taskhostw.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.887{6820D070-4B7F-6323-9900-000000007502}29725736C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.887{6820D070-4B7F-6323-9900-000000007502}29725736C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.887{6820D070-4B7F-6323-9900-000000007502}29725736C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.886{6820D070-4B7F-6323-9900-000000007502}29725736C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.886{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.886{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.886{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.886{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.862{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4,IMPHASH=19FF3D7E49F43D90E4842B5753CAF441trueMicrosoft WindowsValid 734700x8000000000000000346512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.863{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4,IMPHASH=19FF3D7E49F43D90E4842B5753CAF441trueMicrosoft WindowsValid 734700x8000000000000000346511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.863{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4,IMPHASH=19FF3D7E49F43D90E4842B5753CAF441trueMicrosoft WindowsValid 734700x8000000000000000346510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.860{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539ED,IMPHASH=A2681C42106048F87359D11744AD087BtrueMicrosoft WindowsValid 734700x8000000000000000346509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.766{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Emit.Lightweight.dll6.0.21.52210System.Reflection.Emit.LightweightMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Emit.Lightweight.dllMD5=5A2EEBB47CF27319B58DAC5B70CBC99B,SHA256=C455E599426BA8D753CABB05F35171D9B9A7703D977FAC67D4371B3002C3EBED,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.762{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Xml.Linq.dll6.0.21.52210System.Xml.LinqMicrosoft® .NETMicrosoft CorporationSystem.Xml.Linq.dllMD5=BB8C7ECB5F4C3BB2C3AC848EAE4763E0,SHA256=9F67E1887297D3A54EB96836E093F8A8FBE4A38E2E27D64B91E609FA00807B1E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 10341000x8000000000000000346507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.698{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.694{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.670{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=807D0265EEB480488FD8F5BD31941489,SHA256=865D0A59E86E52F514BD1A782575CAD36100D7723595E566DD200B538D8B3A9E,IMPHASH=D3851D2627EE20865D40A6CE93CA8A17trueMicrosoft WindowsValid 734700x8000000000000000346504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.651{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\dxgi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=F44AB7ABA7ED141A36E5C4F81DB43B6E,SHA256=C42607C98E4580B901671FF3E343902C1F05D97A7FE2E85A7920B55D181C1BD3,IMPHASH=4453AC692845F7F4429D6DD3ACF00D0EtrueMicrosoft WindowsValid 734700x8000000000000000346503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.626{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\d3d11.dll10.0.14393.5006 (rs1_release.220301-1704)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=A6AC7569771A9D2B9DDB8839076D2C15,SHA256=7D8F95AF6D10F2F4086BF2ED3579E031BD991939816EA2CA162AA4BEF0243ECC,IMPHASH=3C84DC322121BEDBDD23AD37D5500FFCtrueMicrosoft WindowsValid 734700x8000000000000000346502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.610{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=71488B2A3FEEE42631F968B08ED0503B,SHA256=2693217FA5F2A259F10D580B4AB95787ECB30B2DF16EF98631EF9D4B3DC62564,IMPHASH=37239F56D3864617C4EFB2A5F460F097trueMicrosoft WindowsValid 734700x8000000000000000346501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.590{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=D238A301AE8EFABD029CE5C9B7777BF0,SHA256=FBB2B864831D5F0F71E1D0167B4EDD4FACB62BFD7913C465F4E291B868120163,IMPHASH=D87E30B18F53FE55C5B018AF0882ADC7trueMicrosoft WindowsValid 734700x8000000000000000346500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.578{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9,IMPHASH=CAC6B3339C5CAA083E24A4484EE86E29trueMicrosoft WindowsValid 734700x8000000000000000346499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.566{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=74261D485681A12AFF1AD517FD0EF200,SHA256=DEC3B7B1EBF3F7F4940FE63D665E2C50F6447C848C35C64B1BDE446E04358480,IMPHASH=A92DB75F144155161CE7994504E7528FtrueMicrosoft WindowsValid 10341000x8000000000000000346498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.570{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+268c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.570{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.566{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.566{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.558{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=55D5450C85C0A0DE8F2A22F2C0C816AE,SHA256=3CF7B03BEB7C47157C47EACEBFB731096468D1D25FF6784485EFD2FB806C4C5E,IMPHASH=62E80DE569E3D2B9A30E859918635AC7trueMicrosoft WindowsValid 734700x8000000000000000346493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.490{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7,IMPHASH=46FAD5286B22154C348CEBCE1107AFECtrueMicrosoft WindowsValid 734700x8000000000000000346492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.490{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=58D7CC486FB757A96482F89A6D2D9088,SHA256=BA035B04C784402F69834914AD787E8DB854A7FB8B244AE6AAF54689DD4AFD09,IMPHASH=E8A9B749DD6516BB6E8D03D2472AFB9CtrueMicrosoft WindowsValid 23542300x8000000000000000346491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.466{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193427620EB23BE173374B4F9F3F081C,SHA256=3B6C5D51A29A8C02A82F9B74553A7C22532BBEFA85E9E5B9BC26937D287B9DCA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.409{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Algorithms.dll6.0.21.52210System.Security.Cryptography.AlgorithmsMicrosoft® .NETMicrosoft CorporationSystem.Security.Cryptography.Algorithms.dllMD5=B81BE22569FAFE42814668520A1D5347,SHA256=63EBBC122624312EBE341010B3FFD7A827E074F17132763C78A47682ECF964AE,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.397{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=7294744A8618ADCFB97F6CC9B06781BF,SHA256=9CBA204AECE064C4E8AA5C1E8D7C17EA054A47B315D8CEEFA1C206395E5E32D7,IMPHASH=5CB0004DB7090241A0C06F1853D02144trueMicrosoft WindowsValid 734700x8000000000000000346488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.369{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Primitives.dll6.0.21.52210System.Security.Cryptography.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Security.Cryptography.Primitives.dllMD5=B9FC91A22094CD30B15BFACBC2CBA1F4,SHA256=4665013250B612BC329C085F1CE603DAC70337BDBC6B2D7D1F342AA439DA3E09,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.365{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.5291 (rs1_release.220806-1444)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=6732CB1D5A08DD097CC0219B1653854B,SHA256=2F59D5F9D370B886BCA0A6B83CDFE1C1A68134A5D6D84D3BE8034BCBEEC7C442,IMPHASH=B1175218A8304DF3BD6BF43A45EE8073trueMicrosoft WindowsValid 734700x8000000000000000346486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.336{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=ABB61EA7CC462930FB56C2D004A5B06C,SHA256=7C1525EEFF5357013C68BDDAB2F255E40C8D82A43EF05F374B8DE7D8B5247711,IMPHASH=B1A124F5ECF68D9AFF86BEE7BFF328D4trueMicrosoft WindowsValid 734700x8000000000000000346485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.335{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90,IMPHASH=158FC41AF95869DAD152F6AD98D3B1B5trueMicrosoft WindowsValid 734700x8000000000000000346484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.332{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.5291 (rs1_release.220806-1444)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=92CAA0908C33E38522E606F13C23F6E0,SHA256=3A57A5D451EF57257586715AAC74309DA94383D5F8E1DD6C2D29F5172AD44F3F,IMPHASH=A8C982C1E8CF4134B4F2115A6232000DtrueMicrosoft WindowsValid 734700x8000000000000000346483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.285{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.Compression.dll6.0.21.52210System.IO.CompressionMicrosoft® .NETMicrosoft CorporationSystem.IO.Compression.dllMD5=F1EE270D02A87F71FBBE0BA4AA4E0A43,SHA256=85D6EB6688F0A5A0EFAB12B3DBB304941473A2058143DA43BF9E24FC0D620A23,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.277{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Windows.Forms.Primitives.dll6.0.21.52301System.Windows.Forms.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Windows.Forms.Primitives.dllMD5=7FCE5CBE0822B4C60EA5F3CA97F01E3E,SHA256=B0A8038E23D5B84197EB9F5663FACF36B1CB9B6A58087472A3567CE55CBCADE2,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.265{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework-SystemXmlLinq.dll6.0.21.52301PresentationFramework-SystemXmlLinqPresentationFramework-SystemXmlLinqMicrosoft CorporationPresentationFramework-SystemXmlLinq.dllMD5=9F7114B908E373FEC0F74B57A019082B,SHA256=0B0FDCC2671B91BE0EC904E23C8B3C4611CD71229ED69A3CF4392ADF242008F8,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.265{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\WindowsFormsIntegration.dll6.0.21.52301WindowsFormsIntegrationWindowsFormsIntegrationMicrosoft CorporationWindowsFormsIntegration.dllMD5=74118947AE1802707FF134D9AF92F338,SHA256=203FC1BA02345D8423A844E6DCB254468F90B41F72C349861BCCF3299A3F9165,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.257{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Windows.Controls.Ribbon.dll6.0.21.52301System.Windows.Controls.RibbonSystem.Windows.Controls.RibbonMicrosoft CorporationSystem.Windows.Controls.Ribbon.dllMD5=FF11BF2735FC5F8F1C3AB5BC2A246E4E,SHA256=B229CC598BC658F35CCC4367DF57D4D40B1BF0499953D4B7D4C014CDAEF1887F,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.224{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework-SystemXml.dll6.0.21.52301PresentationFramework-SystemXmlPresentationFramework-SystemXmlMicrosoft CorporationPresentationFramework-SystemXml.dllMD5=CDD0EBE1A38ED139C1A923C674EDC83C,SHA256=7D315D3E4D06D1B7F766ED74886C34A6C989289F653EB4E4F77C9D20FC95B4FE,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.224{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Security.Claims.dll6.0.21.52210System.Security.ClaimsMicrosoft® .NETMicrosoft CorporationSystem.Security.Claims.dllMD5=104BC8691C57F4EC1E06B2BEFE31706A,SHA256=52C05A3D4CDFD64321EBC9CE02D475FD731C23618D19FCF7073EEFC59C92629E,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.220{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Security.Principal.Windows.dll6.0.21.52210System.Security.Principal.WindowsMicrosoft® .NETMicrosoft CorporationSystem.Security.Principal.Windows.dllMD5=0DEFD6DCF365B2761F476BA134E256A2,SHA256=206E394E39434F9E422CEBDE63CA13DA7D9AB691B0D5EDAD8B09F443C397926E,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.212{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=95A1BA1B908C04EE471AAB365D557FC4,SHA256=5EAFA5C8125CE0A4C69238F28E94E9DC96ECB2474CF429A1BA4C56233D32EBFE,IMPHASH=781D96AFC4A43989716F0476826C7E94trueMicrosoft WindowsValid 734700x8000000000000000346474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.180{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Images.dll1.0.0.0dnSpy.ImagesdnSpy.ImagesdnSpy.ImagesdnSpy.Images.dllMD5=ACC4E2952FC26913D94D45E21D19DE55,SHA256=EDAB4416BA61CB1215FAAB5F16A16C14582D2C91945C8530A805CA068151EA8A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.166{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\d3d9.dll10.0.14393.447 (rs1_release_inmarket.161102-0100)Direct3D 9 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D9.dllMD5=17C406D38C3989FF3BDB17D08C1991CE,SHA256=CB991C87BEBCC39F14696409BA99F1B76FE59ABE7F4CE3A3C32660BD40528676,IMPHASH=812DD928B5D288A053A41C64D9CF80E9trueMicrosoft WindowsValid 734700x8000000000000000346472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.144{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Drawing.Common.dll6.0.21.52210System.Drawing.CommonMicrosoft® .NETMicrosoft CorporationSystem.Drawing.Common.dllMD5=3F61C522E02B3665FEDF3F63BC819831,SHA256=93BCF120B10D65BED9F81CEA326780402A51AF0E481B866E216C8BC6F1BC898B,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.120{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.Aero2.dll6.0.21.52301PresentationFramework.Aero2PresentationFramework.Aero2Microsoft CorporationPresentationFramework.Aero2.dllMD5=9CC6B8074ED91CB19EAF41CD15C17848,SHA256=5A400B8E41508C30C3BF8BF51A82F1887D419DB450C5D668C0FD5BCE33ABD6F7,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.083{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\UIAutomationProvider.dll6.0.21.52301UIAutomationProviderUIAutomationProviderMicrosoft CorporationUIAutomationProvider.dllMD5=99898CAD47373801D1B0009132D5818A,SHA256=2E9CF404A035A4ABE9016F57916CA80E166DF7396F82F4A4F66E944C3F80D539,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.044{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Text.RegularExpressions.dll6.0.21.52210System.Text.RegularExpressionsMicrosoft® .NETMicrosoft CorporationSystem.Text.RegularExpressions.dllMD5=AB9FFD1FF21B691044015FC7D1B74808,SHA256=1F63A3FE8C74097DD9265F10DEA6DA6C3E8E0E1E74ABBF0F8743CB041F24116F,IMPHASH=00000000000000000000000000000000true.NETValid 354300x8000000000000000190013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:08:58.384{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49858-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:00.174{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755D849A9276B2D238A339CF7BA26F52,SHA256=2271CA4CAF04A097A38F07DF52C6D82AF01B47064B752E3FAB77C0EA0104671B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:00.001{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.dll6.0.21.52210SystemMicrosoft® .NETMicrosoft CorporationSystem.dllMD5=7D05EDA810470E90613D8AB61C04DFF4,SHA256=AF8058DCAACF7BCDEBBC8088A75E6BD3F46D7A57D89B8F00418917E6B232201E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.998{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Core.dll6.0.21.52210System.CoreMicrosoft® .NETMicrosoft CorporationSystem.Core.dllMD5=CADB65D73483FD4D10A52E9BC09D0F2C,SHA256=7192696D54A82EA86CB25A2DDDE775A0661C7C69EBBD0030B66CA6E60F1E91BF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.982{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Primitives.dll6.0.21.52210System.Reflection.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Primitives.dllMD5=D0E36BF15D624B2EEDAF841DF183D3A7,SHA256=7E1A3CC1CEF7034B990CB72F2A58155DFD0EF7BE78F0FAF95188E518446DDE47,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.980{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Emit.ILGeneration.dll6.0.21.52210System.Reflection.Emit.ILGenerationMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Emit.ILGeneration.dllMD5=02F4F1EA5966FED3EC7E633A120F66C7,SHA256=64F3DC9CB8A00CD761A6BC4304F89F859E86E453D25C104A30CBEE1EEFB092A3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.978{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Emit.dll6.0.21.52210System.Reflection.EmitMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Emit.dllMD5=CDCCA39FB513ABBC5267242CFA34A065,SHA256=1C708DDA9A34C24E9D5DEAB3E59EBB38289028D948FA5DF81B8695906E254A47,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.975{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.CSharp.dll5.5.1ICSharpCode.NRefactory.CSharpSharpDevelop/MonoDevelopICSharpCodeICSharpCode.NRefactory.CSharp.dllMD5=CCF01956A470A9197DFBFE38EF1A6623,SHA256=10472BE5C44E61CA9FB4FB443DF2353EB22030711CBE78266A34D76A3E81A21F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 23542300x8000000000000000346537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:01.836{6820D070-4E19-6323-3B01-000000007502}6844ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\Temp\WPF\c5rds2cq.5voMD5=825AB5E8C725411B8B9C319BDCC8EA4E,SHA256=2E3A2C34CC9728CB3C1915E1C778FD0D63D46AC8E238C90726C96E4A31042357,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000346536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:08:59.438{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63510-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000346535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:01.685{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:01.684{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:01.681{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:01.680{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:01.678{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:01.676{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:01.664{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\msctfui.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)MSCTFUI Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTFUI.DLLMD5=2E0765561AC0715D03B2EAF4ACE62C5E,SHA256=F938D00A8FF9A1C832D0E50697A613D415A2B11988719E591C696D04027B189B,IMPHASH=46539B781BADC719A076E6CD82C5EF4CtrueMicrosoft WindowsValid 23542300x8000000000000000346528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:01.498{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA8D1831E9B8DAFF6044CA7054665B37,SHA256=528C3F2342EB4224A66E8A77397FA4D07AFB725218DFDCD67C95D960872A20A9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:01.447{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.dll5.5.1ICSharpCode.NRefactorySharpDevelop/MonoDevelopICSharpCodeICSharpCode.NRefactory.dllMD5=59D0530BF5E8C05BEB4B4239DAF57455,SHA256=8E6353712DCCBFEA331D11CCEA8DF43F14E9644E226FE46861328C7C1311441D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 23542300x8000000000000000190014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:01.266{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=269CDF9DB53A4179BF56D5B4250693E1,SHA256=E7FDDC680037E414DAAF05120778C95B20D1649018444A946F3CAEA543D39A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.517{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CE28D1A02A0DA0EC355B5D2991C1257,SHA256=8015B97D75853BF60940A0B0AEDC6CD26FCA610B768CE754C37BCCC1E2ADD010,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.475{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Extensions.dll6.0.21.52210System.Reflection.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Extensions.dllMD5=0C573B6691794FE91E6BBCCBFE56040D,SHA256=23205571BD4B97E6681F1CC9D38A5D5561DA0BA8F50B2ADB3704A2A61A3F3B39,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.473{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.CompilerServices.Unsafe.dll6.0.21.52210System.Runtime.CompilerServices.UnsafeMicrosoft® .NETMicrosoft CorporationSystem.Runtime.CompilerServices.Unsafe.dllMD5=BD9EF23AFCFC4F36BB524BB0DF83604A,SHA256=50C4304AA0723F8FBD90D1F91A9A75A635ECFB8E6AA905F12F2DFA6F5C8BDA7D,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.470{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Linq.Expressions.dll6.0.21.52210System.Linq.ExpressionsMicrosoft® .NETMicrosoft CorporationSystem.Linq.Expressions.dllMD5=2237CB203E627CB351B9894F6724D7ED,SHA256=A62E686E055A781523AE56B90BCD5B6E6CD8B6540D3E3EDA85657DAAB066424E,IMPHASH=00000000000000000000000000000000true.NETValid 23542300x8000000000000000190015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:02.365{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6CEEFDB550B7374668896278515CA8,SHA256=F65FCA5DB994E85D42EC02254C1BAC01D973035B87A075506D4C47575B673792,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.406{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.DiaSymReader.dll1.400.22.11101Microsoft.DiaSymReaderMicrosoft.DiaSymReaderMicrosoft CorporationMicrosoft.DiaSymReader.dllMD5=8EA512071D38B8237F255F9E6E8789CD,SHA256=AF1454B363F234832B37E3F8E0472E2A7B612E4A74B6D8DAF8D0376AE9E10E6A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueWindows PhoneValid 734700x8000000000000000346581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.402{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Serialization.Primitives.dll6.0.21.52210System.Runtime.Serialization.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Serialization.Primitives.dllMD5=BBEF0264A01DEE8EDA38BFAE66222934,SHA256=EAD2441E5B5DA178FC5F3665179D59F1CADF9FD2DA4786FD04720F96B5F74A72,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.400{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.MemoryMappedFiles.dll6.0.21.52210System.IO.MemoryMappedFilesMicrosoft® .NETMicrosoft CorporationSystem.IO.MemoryMappedFiles.dllMD5=1B77C94AF33F444190FED152677E332F,SHA256=3827F7C14536E7DF1C8360F426C50359C9F2F3F1C8BBA0B4988F112759776E51,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.396{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Composition.AttributedModel.dll4.6.24705.01System.Composition.AttributedModelMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Composition.AttributedModel.dllMD5=24A0C8CCE8C132DF82C9B9C1AE834D05,SHA256=04D8EB1419E053FB7502DD952F3977F75B27DEDE5418D5F87D21DE16ADBD8313,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000346578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.394{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Composition.Runtime.dll4.6.24705.01System.Composition.RuntimeMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Composition.Runtime.dllMD5=D18C354A78688D6A3CF68A0567AF40E3,SHA256=C419E3D51F9EEFB1F6FC0FB7CCF9B5AC5CC4B75FA75131D4AF0C74252914EB10,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000346577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.392{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.dll6.0.21.52210System.ReflectionMicrosoft® .NETMicrosoft CorporationSystem.Reflection.dllMD5=3936A133A7D185EB013DBDF7689B16B5,SHA256=BCC19E3FA18AA90D62B21E2AE9A060E6C51727D411354D20BB387D10AB0ABD86,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.390{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Composition.Hosting.dll4.6.24705.01System.Composition.HostingMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Composition.Hosting.dllMD5=D84515EE702052020EAAB048C0C221E3,SHA256=7A26E95E0F75E803ADB555ECFD02BCA59A533A4855DB6C861A3DEFB619DCE813,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000346575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.388{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Composition.TypedParts.dll4.6.24705.01System.Composition.TypedPartsMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Composition.TypedParts.dllMD5=B91887BFCA35E50CCE9F2D7102C88706,SHA256=2C609BED3BBD2BE810471E31E36B12CB321A50FC2541E8F29C1F59C8CF869C41,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000346574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.383{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.Features.dll4.100.22.11411Microsoft.CodeAnalysis.VisualBasic.FeaturesMicrosoft.CodeAnalysis.VisualBasic.FeaturesMicrosoft CorporationMicrosoft.CodeAnalysis.VisualBasic.Features.dllMD5=C016B1DEEEF496942DD968FBA534DCC2,SHA256=F3B4EA151024366A974ADA3C509976470427921DE5D6CF6AB00BB06D63B77B05,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.363{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.Features.dll4.100.22.11411Microsoft.CodeAnalysis.CSharp.FeaturesMicrosoft.CodeAnalysis.CSharp.FeaturesMicrosoft CorporationMicrosoft.CodeAnalysis.CSharp.Features.dllMD5=180213DE249390D67791C54C9780B3AA,SHA256=B17279D0AE6AF8D16815E811B6F60B2628DC4994271463D0A43CFA5E8BDBC4CB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.340{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.Workspaces.dll4.100.22.11411Microsoft.CodeAnalysis.VisualBasic.WorkspacesMicrosoft.CodeAnalysis.VisualBasic.WorkspacesMicrosoft CorporationMicrosoft.CodeAnalysis.VisualBasic.Workspaces.dllMD5=807DD60A75A1330ED9A75ABADA3E6831,SHA256=EE89F918FC88E15F4AC90F4C11E3D52EB3EA76BB0A9771577634A93543550C09,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.323{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.Workspaces.dll4.100.22.11411Microsoft.CodeAnalysis.CSharp.WorkspacesMicrosoft.CodeAnalysis.CSharp.WorkspacesMicrosoft CorporationMicrosoft.CodeAnalysis.CSharp.Workspaces.dllMD5=004885BA5B1D4DBF89F7F829861B98D4,SHA256=0CBC67A98FD8ABB9864DDCAFF6BFB572BA3F6F9EE66FA7AF1C551EF031233D37,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.306{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.Internal.dll1.0.0.0dnSpy.Roslyn.VisualBasic.InternaldnSpy.Roslyn.VisualBasic.InternaldnSpy.Roslyn.VisualBasic.InternaldnSpy.Roslyn.VisualBasic.Internal.dllMD5=D1C0274FACB33012B897BA2B418E575E,SHA256=C2C2088CD5BE29D6FFFD0BC78C4D87A3ED253B6F7F20A594C4BE62F6306397C6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000346569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.303{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.Internal.dll1.0.0.0dnSpy.Roslyn.CSharp.InternaldnSpy.Roslyn.CSharp.InternaldnSpy.Roslyn.CSharp.InternaldnSpy.Roslyn.CSharp.Internal.dllMD5=D9840B5CCF3122E9C1B3A0C3CB6AC5E8,SHA256=D2DB5E3894D8EC18EA52B867D77BA43F103A84AEBEB8983306913204967A4A63,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 10341000x8000000000000000346568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.291{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.289{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.287{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.285{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.283{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.280{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.278{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.277{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.274{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.272{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.270{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.264{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.244{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.238{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.181{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.dll4.100.22.11411Microsoft.CodeAnalysis.CSharpMicrosoft.CodeAnalysis.CSharpMicrosoft CorporationMicrosoft.CodeAnalysis.CSharp.dllMD5=68888FFA2D8AF2715DA808AA9545668C,SHA256=E39E962775915C4A74B1B29ED664F352D7EDACD3E8F798F11A482F0057C08820,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 10341000x8000000000000000346553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.230{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.211{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.206{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.201{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.198{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.196{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.195{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 23542300x8000000000000000346546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.193{6820D070-4E19-6323-3B01-000000007502}6844ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup32\net\startup.profileMD5=9CCA75F7F80C0C5525A401EC44A98900,SHA256=365DC6776C04037AD1D12EE851D50D8B11445805356EB8E291BEF6CCCD4AC9C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.191{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.190{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.189{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.188{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.188{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.188{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000346539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.187{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000346538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:02.085{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.dll4.100.22.11411Microsoft.CodeAnalysis.VisualBasicMicrosoft.CodeAnalysis.VisualBasicMicrosoft CorporationMicrosoft.CodeAnalysis.VisualBasic.dllMD5=9959DB5A9DF4D423964E01E510A3F260,SHA256=CC4ABC7C77E5DF9B010D9EBDC9464B73DAF03129EE70DB68D761B7E0FB092078,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 23542300x8000000000000000346587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:03.621{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5AFE553D1490DDFD1E96F869635419A,SHA256=560DD22D5FAB67AAC57A2159EB96F4646FF9AB568B10AAA2C9A728FB4EDABA47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:03.999{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:03.972{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000190020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:03.964{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000190019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:03.957{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000190018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:03.949{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000190017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:03.945{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000190016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:03.450{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75E3CA97C8CBC695D3F2D51202613D35,SHA256=AF84F3C08ADC45FCDD467E80E42065E9B0D60C2F615AA06D4F5855243437B60A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.649{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9270003F74D266E1FB0B9A9335BAE695,SHA256=62FE1B6DD0D252071DEF3BA0DFA85A54EE74A6B6775CE3EF814AB9CD5D8AA310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:04.636{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=516F7C60C1C0524BF43ED7AC1604483F,SHA256=3D19F534DA7C73A86C2DF42706DC53963DDBAFA7821EACD95BED4991C3B9E13A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:04.555{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Numerics.dll6.0.21.52210System.Runtime.NumericsMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Numerics.dllMD5=AA0B7C35F5BC58EE9DF358E598396723,SHA256=EC6375D30F957BF0EC86BB3F6ADA7F4A0B5A0B688115B46F4BE6882C48679D54,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000346588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:04.082{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CSharp.dll6.0.21.52210Microsoft.CSharpMicrosoft® .NETMicrosoft CorporationMicrosoft.CSharp.dllMD5=EBCDC3820DFAE1D74B698181A3C09916,SHA256=BFA7165815659626E9D3DB116AE9DFA0A7CA2AABAB30807744024B71DAE61248,IMPHASH=00000000000000000000000000000000true.NETValid 10341000x8000000000000000190052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.239{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.231{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.216{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.206{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.191{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.185{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.183{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.179{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.176{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.174{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.166{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.166{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.163{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.163{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.161{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.155{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.152{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.139{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.134{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.132{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.124{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.116{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.095{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.094{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.084{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.063{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.058{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.052{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.042{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:04.017{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 23542300x8000000000000000190055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:05.802{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13ACB0557CE449911710835206620770,SHA256=673E5C408CA4B38F633295B15FA9F7CBA91FFD71C5A33FC06CCAB4C667338F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:05.663{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7091AF9E92F497B076FA956ACC2D9C90,SHA256=62D009220972DA81A805E997686C0982288F3BC332A9F5979B5EA83A77089DAA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:03.388{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49859-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:06.970{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22B12BE70BDC30AC78C1400140E6F74C,SHA256=0DF8FC82AFFE8AFDBFDEB60BC68280CF75F73E799A1676200E1ACC490E854739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:06.675{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC2045ACE1F19996A55260BFA2088CE,SHA256=A003FBE558CCB56DF4BDD2820596BF75F51579615654D67A99621EF558E9BF10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:06.296{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:06.296{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:06.296{E743DC12-4ACF-6323-0B00-000000007602}628668C:\Windows\system32\lsass.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:06.283{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1D00-000000007602}1944C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000346593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:07.688{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=842E921D8F6A47203341BBD244279E61,SHA256=225E8F7E8A4A056378DF7DEAF1B3940100719FB3F9EB5AEDA10414411E42AEA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:07.601{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E23-6323-EC00-000000007602}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:07.601{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:07.601{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:07.601{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:07.601{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:07.601{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4E23-6323-EC00-000000007602}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:07.601{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E23-6323-EC00-000000007602}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:07.602{E743DC12-4E23-6323-EC00-000000007602}3964C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:07.299{E743DC12-4AD0-6323-0D00-000000007602}7885104C:\Windows\system32\svchost.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000346595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:08.804{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20EB1D76623B5BFACB174ADD87093604,SHA256=9E138279AA712C18CD6CBE8E1EAB032D8F695D433BDC425EF9DBE0388FA2338B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.949{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E24-6323-EE00-000000007602}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.947{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.946{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.946{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.946{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.946{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4E24-6323-EE00-000000007602}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.945{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E24-6323-EE00-000000007602}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.946{E743DC12-4E24-6323-EE00-000000007602}3464C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.679{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CD7EE89E29F35C454B8950D0078C2856,SHA256=3EDAF9B7F2FFD06164AF7BBAA84070ED3F5D085C3851FEC0D5620DCB8BD6E0E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.437{E743DC12-4E24-6323-ED00-000000007602}32803024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.280{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E24-6323-ED00-000000007602}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.280{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.280{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.280{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.280{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.280{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4E24-6323-ED00-000000007602}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.280{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E24-6323-ED00-000000007602}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.281{E743DC12-4E24-6323-ED00-000000007602}3280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:08.062{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E96FCC891EE5BFA5E42AC5F10CC1E89,SHA256=E702CCD334AF9AB479FA06BD5DDDEA7C54F09C59AD09C833F0D4CF83420A381C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000346594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:05.279{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63511-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000346596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:09.814{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617204CB90CF8F63723BDEB5391C776A,SHA256=28544980D408DBC0E3439B3354880ADFC8D14D7F4CEB1ED8EC6904E062E201A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:09.780{E743DC12-4E25-6323-EF00-000000007602}42883120C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:09.624{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E25-6323-EF00-000000007602}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:09.624{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:09.624{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:09.624{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:09.624{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:09.624{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4E25-6323-EF00-000000007602}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:09.624{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E25-6323-EF00-000000007602}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:09.625{E743DC12-4E25-6323-EF00-000000007602}4288C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:09.132{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A8678D78F89060B1422564968453A8F,SHA256=1263CAEDA2D736E179A57C2FAF356229C4198D75F005488B6E52CDC77E27C622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:10.839{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA41345B4E4ED0E199527E485F309938,SHA256=D1B51F93B371C280DBC81C6B56374A133064979608B5796136421D6437BD6A6B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.983{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E26-6323-F100-000000007602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.983{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.983{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.983{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4E26-6323-F100-000000007602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.983{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.983{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.983{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E26-6323-F100-000000007602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.984{E743DC12-4E26-6323-F100-000000007602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.492{E743DC12-4E26-6323-F000-000000007602}23723792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.303{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E26-6323-F000-000000007602}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.303{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.303{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.303{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.303{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.303{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4E26-6323-F000-000000007602}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.303{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E26-6323-F000-000000007602}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.304{E743DC12-4E26-6323-F000-000000007602}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.210{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A0A6BEC9DC8BEC9D4668D757C47B4E,SHA256=B2E0D9D72987D39F107B12FDED0850812AEBBEEDF999F02234B8FA51E1B9E559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:10.054{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5C17F10C1D79CECE648827245E1E52D9,SHA256=1C95D8FC2C29D3EE6F26C4EA0D55D391766BF5E2CEC3DA9878204D5ED8D538A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:11.862{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A192B39C70534563CBC79AA13C75FA01,SHA256=9BD48318663C6269022638F8E994DBBF47488C44821FDF91107356E504C982C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:09.322{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49860-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.661{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0798146FE1B9D9F224BD9C9B2AD8F043,SHA256=D8A9F4A24E82E3CDB03DB9C81897F79713DC5C6F284B852DF53A32DEA8C472AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.599{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E27-6323-F200-000000007602}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.599{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.599{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.599{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.599{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.599{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4E27-6323-F200-000000007602}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.599{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E27-6323-F200-000000007602}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.601{E743DC12-4E27-6323-F200-000000007602}3704C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.372{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7836A325F07C46477D5A4DB3A9B144C2,SHA256=BA204B5B33DED780CC669944CCA7D123BA96724C4A78583FEDD58873202C5239,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:11.199{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Accessibility.dll6.0.21.52301Accessibility-versionMicrosoft® .NETMicrosoft CorporationAccessibility-version.dllMD5=0FF4D556617A1E55863CD6FE17CFAA61,SHA256=484E1F592A490C528369F98E807B918C3159B9432CA53FBD6A8FC4EABE88FC2E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000346601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:11.191{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\oleacc.dll7.2.14393.5127 (rs1_release_inmarket.220514-1756)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=578E7CDCEEEC1A28163863C5AAFAE703,SHA256=EE6DED451C99D92FDB375232A5DF33C846C11425E4409DBA6063539A1C566403,IMPHASH=91DB2465A9EA36C5C01315C79E4EAD5AtrueMicrosoft WindowsValid 734700x8000000000000000346600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:11.179{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.5246 (rs1_release.220701-1744)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=2A16D108FE99577ABCC08B92F2765971,SHA256=AF5268F39CE35FA3215E8162A0BF4C1949D0F5FB7A284953362ED23507C5697F,IMPHASH=36E120EA05F8714D20693A7DA02D7326trueMicrosoft WindowsValid 10341000x8000000000000000346599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:11.054{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:11.054{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.208{E743DC12-4E26-6323-F100-000000007602}41204244C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.127{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E26-6323-F100-000000007602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.127{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E26-6323-F100-000000007602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.126{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E26-6323-F100-000000007602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.126{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E26-6323-F100-000000007602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.126{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E26-6323-F100-000000007602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:11.126{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E26-6323-F100-000000007602}4120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 23542300x8000000000000000346605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:12.971{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE737206F9E2E059D0BE95AF8E134F1B,SHA256=D0274DC2B69650623258CFA1D5074ED7D58B93571A78443A9FEF6267EC27DA5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:12.542{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553890EA69AF0D6F432A1E0FD8785A64,SHA256=6147E0EDFC9048FA2EE5C6A46109317B34AFBC5588AF716588227F12211D54B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000346604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:10.434{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63512-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000346606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:13.981{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B28B7FFE8C5580B8A617DAE2A5C3ECB,SHA256=F919C5655394FF75D6E1EADD4AFDA38E58F7385AEB969B59D852F814B79F8935,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:13.732{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB882A742A8CDC1CF35CF489BAB52471,SHA256=CBFAE8D6D627113A67CB35BFE4CA4A57D34D67CB847BF4CCE713A7B60D9F6BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:14.828{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2E9602218FF7C59D08F499825DB6024,SHA256=727251037F59E0B97BE3D7EF3B5EE69BFE5C8F62C3681FD0BBF788EB4E674A1E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.651{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.651{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000346636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.285{6820D070-4E19-6323-3B01-000000007502}6844ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup32\net\startup-roslyn.profileMD5=3B81892663201C713618FD6E65564418,SHA256=89D7CD8AAF5754E11BD32960DF97181774F97D43244100E59C6656A021964BCB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.117{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.116{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.116{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.116{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.116{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.116{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.116{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.116{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.116{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.115{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.115{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.115{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.115{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.115{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.115{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.115{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.115{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.115{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.115{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.115{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.114{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.114{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.114{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.114{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.114{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.114{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.114{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.114{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:14.114{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:15.897{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75A5D26791A692D054C92C31F3B9DE05,SHA256=C3F24984ACEA5DA254FA2059CEBBB98980BBBEB993560BCC28A919740C046447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:15.384{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=774F918CDAE7397DE679BEC2B05CF197,SHA256=D71821A14D32E94092E4CE7F2CEBDD9B792728ACF1E343F84077C9E1202578DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:16.970{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C00B5D8F9C480580F71A6F109EA0C1,SHA256=36211848522C0F252E1B4C358B0B0A75A433872B4E47EB3130BD7A2BBEF5221B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:16.441{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA9A29C7767DB4C414C320801D2A3A0,SHA256=7F6E75AC0814BA2A7987CF2A9D26A452533A46A1EF5EBA8C1B70FB8FEE16758E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:14.336{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49861-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000346641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:16.146{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:16.146{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000346643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:17.458{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA6AF7C0AEAD01332A622A80FAA8FD32,SHA256=A4CAB6900D644B47B3A3331ECA17574CEA595E0B37A060CE878D2D034B904A8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000346645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:16.307{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63513-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000346644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:18.465{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08F809E3BCFB585D946C875014F1CC0E,SHA256=F344792B78A9EB7D85DBA864737330D5F8E40E5DF245AFE008AA857413A7C5FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:18.081{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7241769D5DEE3F4456D01D4D159F0BE,SHA256=B6C654D03DBADB95E35ECA7B0279FF50031B2A0D22BB22788EA618764B32EDC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.829{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.829{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.817{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.817{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.717{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.716{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.709{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 23542300x8000000000000000346667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.483{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F2F064ACAFC7273B953F89A6559E69,SHA256=7BBBECA594C88BC93D9B52493C8A0827F7CC3285221B01844AA2559FCDCF2092,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.941{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915155459-013MD5=36EB26F9EED14D2A649109B5B0D3FC1A,SHA256=D5225DBB467937E991D5678F78067E4612BF477D9EC2143F1C43E71004CE921E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.274{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.165{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=172FF242FC5D17A19B417A78F6B2AEBE,SHA256=5AC80626BAB50A4454AD18D3180BAB319BEF6FC6079E20846138923FE0A5F360,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.364{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.353{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.345{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.334{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.325{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.321{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.320{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.317{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.302{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.273{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.268{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.259{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.247{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.234{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.227{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.212{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.205{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.195{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.187{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.145{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:19.142{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 23542300x8000000000000000190173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:20.945{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915155457-014MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:20.694{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:20.579{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CED2918DE3664D280C50313EF9730FBC,SHA256=59BE6AA06B2CDA77D00C1CE39B30080762DF1EBAED560F8D6ECE47540C491104,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:20.515{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69595E946DAD03EB1CB2AA9C02974F31,SHA256=29F7D57C25F61BD8CFE4EFC30219644219CF20F1C6F075EFEAC6FCA771BF8FE1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.921{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49863-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000190175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:19.438{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49862-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:21.685{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B222AF74C8CECE8B1AC9B728161FC2AD,SHA256=CC211C88C1299B067A59F5DB9ED4F2F4AD8BD36EED5E5428CF2C2C64D892B247,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.842{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.842{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.842{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.842{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.755{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.754{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.750{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.747{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.745{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.742{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.653{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.653{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.653{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.633{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000346686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.633{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000346685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.633{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000346684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.621{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 734700x8000000000000000346683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.625{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000346682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.625{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 10341000x8000000000000000346681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.613{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000346680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.579{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CF9B86755EF315F6EFF6EB7D64DAC6E,SHA256=800B1B69AA6E093F78AC17366F3528EE49AD85A8BB44A533CD4D35571B4B3679,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.367{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.367{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.359{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.359{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:22.879{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8482D2527DC1ECF7181167F677A2B052,SHA256=7FFAA70A1EEE9AA818B9C6B39803FA4DCCD32226DB0140765B87716ADDE7E8DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.794{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14A326ACD68EDA73634143C3C21674E6,SHA256=FA59936D177BF6039F77F7DC04F40E3AF09F7CF23A55DD4DB84C7DD464DA39FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.623{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.433{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.431{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.429{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.426{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.422{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.412{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.409{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.407{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.404{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.399{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.397{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.387{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.365{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.358{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.343{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.318{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.305{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.297{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.289{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.288{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.286{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.280{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.277{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.273{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.270{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.269{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.267{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000346701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.267{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000190185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:23.997{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:23.983{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:23.979{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:23.971{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 734700x8000000000000000346774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.783{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000346773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.781{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000346772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.780{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000346771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.776{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000346770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.774{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000346769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.771{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000346768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.771{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000346767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.766{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000346766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.765{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000346765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.873{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000346764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.873{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000346763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.758{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000346762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.865{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000346761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.699{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 734700x8000000000000000346760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.855{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000346759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.854{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000346758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.840{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000346757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.833{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000346756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.825{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000346755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.821{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000346754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.817{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 23542300x8000000000000000346753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.807{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.801{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000346751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.799{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000346750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.796{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000346749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.781{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000346748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.781{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000346747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.771{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000346746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.765{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000346745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.763{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000346744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.761{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000346743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.753{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 10341000x8000000000000000346742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.752{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.750{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 23542300x8000000000000000346740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.736{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAF7B541ADB29D9FE373222821EA592C,SHA256=B0FA0E818E580C171A6FCBD07DDEC0DCC69CEAC76CF8427F060DF4ACC36D4461,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.726{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000346738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.718{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000346737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.699{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.699{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.698{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.698{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.698{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000346732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.697{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000346731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.534{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:23.950{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:23.942{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:23.931{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:23.928{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.152{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.144{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.130{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.125{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.117{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.113{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.112{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.105{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.101{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.099{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.096{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.095{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.093{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.092{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.091{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.090{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.087{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.082{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.080{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.078{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 23542300x8000000000000000190194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.072{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C17BD1732EC9E9BEC7698121F224E304,SHA256=95276BBE3D177C0232363A3220F04E468B528AB0B8F66C39518D3D69AEBE2BD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.071{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.066{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.053{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.051{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.043{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.021{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.014{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000190186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.006{E743DC12-4AD0-6323-1D00-000000007602}19442852C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38A90) 10341000x8000000000000000346840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.903{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.903{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.903{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.903{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.718{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000346835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.702{6820D070-4E34-6323-3D01-000000007502}99729996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.702{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000346833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.702{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000346832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.536{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 23542300x8000000000000000346831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.604{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A15FAD2C263DD03CEE2CF64E629132A4,SHA256=5CE5809ADF753F7A8F99AD07C86BA957BCB823097D6B9B446EB5858037F343AF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.556{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000346829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.555{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000346828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.555{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000346827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.554{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000346826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.552{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000346825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.552{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000346824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.552{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000346823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.551{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000346822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.544{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000346821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.544{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000346820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.544{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000346819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.543{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000346818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.543{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000346817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.543{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000346816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.542{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000346815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.542{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000346814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.542{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000346813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.542{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000346812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.542{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000346811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.542{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000346810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.541{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000346809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.541{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000346808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.541{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000346807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.541{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000346806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.541{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000346805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.541{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000346804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.541{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000346803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.541{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000346802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.541{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000346801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.540{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000346800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.540{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000346799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.540{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000346798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.540{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000346797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.540{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000346796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.540{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000346795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.539{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.538{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000346793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.538{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000346792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.537{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000346791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.536{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.536{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.536{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.535{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000346787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.535{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.535{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000346785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.364{6820D070-4E34-6323-3D01-000000007502}9972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000346784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.213{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000346783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.213{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000346782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:24.213{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000346781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.873{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000346780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.872{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000346779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.862{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000346778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.846{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000346777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.816{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000346776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:23.797{6820D070-4E33-6323-3C01-000000007502}6804C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 354300x8000000000000000346775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:21.359{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63514-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000346939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.994{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000346938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.994{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000346937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.993{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000346936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.993{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000346935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.993{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000346934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.993{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000346933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.993{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000346932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.992{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000346931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.992{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000346930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.992{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000346929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.992{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000346928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.992{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000346927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.992{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000346926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.992{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000346925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.992{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000346924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.991{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000346923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.991{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000346922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.991{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000346921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.991{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000346920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.991{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000346919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.991{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000346918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.991{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000346917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.991{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000346916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.991{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000346915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.991{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000346914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.991{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000346913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.990{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000346912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.989{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.989{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000346910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.989{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000346909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.988{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000346908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.988{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000346907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.988{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.988{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.987{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.987{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.987{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000346902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.987{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000346901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.986{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000346900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.738{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C5358B75090F7BB23B97DA6B9DB4D7A,SHA256=F6B97A724C38A3C06F6630D22CFE65865E01E4621BEE6CB3F6EC05FECAFE1A13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:25.576{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=210427A8752FC71F92B1ADE7007E8459,SHA256=83A50565874236E77CAEB229A1009354ECDA6948DA64ED8596D9FFD885D7404E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.491{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000346898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.489{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000346897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.489{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000346896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.283{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000346895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.279{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 23542300x8000000000000000346894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.429{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57BBC28DC5D17498A26CE7DAA1931607,SHA256=75A417092BE5FB6D336170F9C0939CB15E043785F696DFD11228C3E1635BE8AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000346893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.305{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0070210D8AC35829A17BB701D4A36F8D,SHA256=51E0857383C78223F53218B174C802B50C21CA78D3F6CD5AA47FF66175C7FB0E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.290{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000346891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.290{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000346890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.290{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000346889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.290{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000346888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.290{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000346887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.290{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000346886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.290{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000346885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.290{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000346884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.289{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000346883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.289{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000346882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.289{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000346881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.287{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000346880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.287{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000346879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.287{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000346878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.286{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000346877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.286{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000346876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.286{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000346875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.286{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000346874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.286{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000346873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.286{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000346872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.285{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000346871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.285{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000346870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.285{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000346869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.285{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000346868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.285{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000346867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.284{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000346866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.284{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000346865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.284{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000346864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.284{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000346863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.284{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000346862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.284{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000346861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.284{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000346860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.284{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 23542300x8000000000000000346859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.283{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2272FE7EA2C6531AA2A473E1CCC7701F,SHA256=B4236FFEA1923C13D607804334078B3C3EEF150418FA18867D65F6DBF8EB2190,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.283{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000346857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.283{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000346856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.283{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000346855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.282{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000346854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.282{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000346853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.282{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 23542300x8000000000000000346852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.281{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AEC11B9CC4C1DDA4780EEB0E4D87779,SHA256=48B740612A8D1C5C4D7B0F3A71F1C198247F61679A8A408C042FA7641B775BDA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000346851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.281{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.280{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000346849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.279{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000346848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.279{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000346847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.278{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.278{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.278{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.278{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.277{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000346842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.277{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000346841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.135{6820D070-4E35-6323-3E01-000000007502}6596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000347001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.818{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 23542300x8000000000000000347000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.913{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9F5BED664366A725C956DF32CB542237,SHA256=D19E1C0A4BFD0DB36952E35B49CF411B0A7269122312B1AEFD902B3E92C28070,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.850{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000346998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.849{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000346997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.848{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000346996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.847{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000346995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.845{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000346994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.844{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000346993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.843{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000346992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.843{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000346991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.842{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000346990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.836{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000346989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.836{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000346988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.835{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000346987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.835{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000346986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.835{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000346985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.834{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000346984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.834{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000346983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.834{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000346982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.833{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000346981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.833{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000346980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.833{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000346979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.833{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000346978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.832{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000346977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.832{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000346976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.831{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000346975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.830{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000346974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.830{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000346973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.830{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000346972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.829{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000346971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.829{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000346970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.829{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000346969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.828{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000346968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.828{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000346967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.827{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000346966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.827{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000346965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.827{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000346964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.827{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000346963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.825{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.820{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000346961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.819{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000346960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.819{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000346959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.818{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.818{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.817{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.817{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000346955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.817{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000346954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.817{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000346953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.670{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:26.633{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8C9E908DB2B659A3614F0219A66FA53,SHA256=39D95DF077D2BB510207A3F64A099511BDD578E0AB83FDA32321E9F3065FC1E0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000346952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.159{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000346951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.159{6820D070-4E35-6323-3F01-000000007502}60367076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000346950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.158{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000346949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.158{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000346948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:22.991{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63515-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 734700x8000000000000000346947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.001{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000346946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.001{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000346945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.001{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000346944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.001{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000346943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.001{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000346942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.001{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000346941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.001{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000346940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:26.001{6820D070-4E35-6323-3F01-000000007502}6036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000347061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.939{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000347060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.939{6820D070-4E37-6323-4101-000000007502}66366612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.931{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000347058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.930{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000347057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.914{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B76E9030018E5207555BF58FD509B2F,SHA256=5FFBE6A53D45B4A236A39229DD0BAB6571CCAE35D106A3689C9C1293733B2980,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.865{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.865{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.722{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 23542300x8000000000000000347053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.841{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C70146E117F65FAE2E9481109E1EF4EB,SHA256=AA3BFC04E0769655B7CCFDD16BC3251CB91BDD0CB690865F0FB7A2062634A80C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:27.707{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4413F1941B512A6C73E9FB79EFF74E,SHA256=E237A3E116D1971F1D737C67EE398474AD7F916172E639978896AE9C5F82A65C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.743{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000347051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.743{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000347050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.742{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000347049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.741{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000347048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.740{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000347047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.740{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000347046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.739{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000347045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.739{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000347044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.728{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000347043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.728{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000347042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.728{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000347041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.727{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000347040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.727{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000347039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.727{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000347038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.727{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000347037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.726{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000347036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.726{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000347035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.726{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000347034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.726{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000347033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.726{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000347032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.726{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000347031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.726{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000347030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.726{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000347029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.726{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000347028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.725{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000347027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.725{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000347026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.725{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000347025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.725{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000347024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.725{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000347023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.725{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000347022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.725{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000347021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.725{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000347020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.725{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000347019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.725{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000347018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.725{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000347017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.724{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000347016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.724{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.723{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000347014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.723{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000347013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.722{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000347012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.721{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.721{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.721{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.720{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.720{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000347007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.720{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000347006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.570{6820D070-4E37-6323-4101-000000007502}6636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000347005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.255{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD1048FB1E74466E1B567F51551F636,SHA256=9E580C8433CA9F238D8CE64A68330B30AD7E8E81BE121DAAEFE2939CC30090AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.053{6820D070-4E36-6323-4001-000000007502}64044412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.053{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000347002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.052{6820D070-4E36-6323-4001-000000007502}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000190217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:24.451{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49864-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000347116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.964{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C83F86D0AC940B690D85E2A97D104791,SHA256=CBDD7FD01415892609A3622D90DF26D666F072942B6CD89DC339B2540AFB9778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.962{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8210250AA046CF4EB8FAF6267074734F,SHA256=E59228A2D5A9A33D4BF5B4C81566837781E3BB225A653E0B621717121771C045,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:28.905{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C16F1EEC104C6B323B55D74C6D9923,SHA256=EDCCB4D2C0DA51FE0A4889A7BD252345E572BB1F2844390B4A72899E3CCEDDC0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.694{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000347113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.692{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000347112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.691{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000347111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000347110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 734700x8000000000000000347109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.527{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000347108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.527{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000347107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.527{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000347106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.527{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000347105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.527{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000347104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.527{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000347103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000347102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000347101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000347100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000347099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000347098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000347097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000347096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000347095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000347094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000347093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000347092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000347091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000347090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000347089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000347088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000347087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000347086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000347085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000347084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000347083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000347082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000347081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000347080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000347079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.511{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000347078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000347077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000347076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000347075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000347074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000347072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000347071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000347070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000347065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.496{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000347064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:28.356{6820D070-4E38-6323-4201-000000007502}7084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000347063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.808{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63516-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000347062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:25.808{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63516-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000190220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:29.997{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D866A77E13FF44FBE8A9AC8DAC77ECBF,SHA256=17F82822C36C3E0988BD76DCC5F4E9A9C078A6043378C436D08600134E828757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000347118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:27.220{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63517-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000347117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:30.092{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B49E5F6B4214DE2707DF588AC1C71F0,SHA256=FE06AA747A3AA4EF19C3F7EC724DDB63419A6CAB4CFF1D042BFC246BA233FD16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:31.166{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFB89650277DFD80AE01043766C82FAE,SHA256=53BF4178033BCBAE3B27FF21B112D8379BEB91F4373C5888AC76D9251FCCEC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:31.092{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D872CA86421B6EE25BE7E998889786D9,SHA256=7915CAE01B45E242431FE3EAFB9D63F48DF0A181D1E18CFFF46F2F1A5C4D43DE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:32.380{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:32.380{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:32.380{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:32.302{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:32.302{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000347121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:32.183{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66EAA79AE23EAC1C2ED17B34EC73FB40,SHA256=D5F283D6FCDC1E3815693D4BD37DD952D197BCCB8017E0E21B28B3D389DB9A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:32.173{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73A683A4485740E8912BC7521EE7287,SHA256=75169A02D4488CEE87D49D6C7B5F5EA109DBF651CBA6FBB3B68F4CD0D61D8321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:32.080{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=DEA27C84A3CBEC65D20CD6A404A67160,SHA256=9DE9E72DBFD8D05026816B9BBDE82C0070D515CE06CD0B1DAB3D4C6B9523AD34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:33.235{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCFDF1287982CB46DB1F18B3968AAEA,SHA256=6048DD00302533C1A36F5A3BCEE8060DF6A7312DA1F1351C5174A51839149666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:33.268{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F308F2A7F7BD38127353E47DCA760D5,SHA256=B7BEE9C27867613C8CE5EA0219C2958100A0FE5B8A196011D019BD2797A2F4E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:30.274{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49865-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:34.344{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08C2746A1941223A710A0C36B2FC822,SHA256=D4A1D46A07F982EE39CD0F2CDDCF7D742640C99D18D1419651AF9E70013D3D87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.859{6820D070-4E19-6323-3B01-000000007502}68446944C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000A9CF96F)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(0000000010EF0D40)|UNKNOWN(0000000010EF0B10)|UNKNOWN(0000000010EF09AE)|UNKNOWN(0000000010EF08F4)|UNKNOWN(00000000109E773E)|UNKNOWN(00000000109E7189)|UNKNOWN(00000000109E6AB1)|UNKNOWN(000000000A9CD33D)|UNKNOWN(000000000A9CC80F)|UNKNOWN(000000000A9CC575) 10341000x8000000000000000347199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.859{6820D070-4E19-6323-3B01-000000007502}68446944C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000A9CF96F)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(0000000010EF0B10)|UNKNOWN(0000000010EF09AE)|UNKNOWN(0000000010EF08F4)|UNKNOWN(00000000109E773E)|UNKNOWN(00000000109E7189)|UNKNOWN(00000000109E6AB1)|UNKNOWN(000000000A9CD33D)|UNKNOWN(000000000A9CC80F)|UNKNOWN(000000000A9CC575)|UNKNOWN(000000000F450D1C) 23542300x8000000000000000347198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.839{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B965E033A2E4ACF532A3358A218534B,SHA256=D09D320A4100CDDEAE7BDDDFC55AB481D09F16AB675D3A70804313C2C02B67EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.717{6820D070-4E19-6323-3B01-000000007502}68446944C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000A9CF96F)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(00000000109E82C0)|UNKNOWN(00000000109E7BDC)|UNKNOWN(00000000109E768A)|UNKNOWN(00000000109E7189)|UNKNOWN(00000000109E6AB1)|UNKNOWN(000000000A9CD33D)|UNKNOWN(000000000A9CC80F)|UNKNOWN(000000000A9CC575)|UNKNOWN(000000000F450D1C)|UNKNOWN(000000000DA5F005) 10341000x8000000000000000347196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.715{6820D070-4E19-6323-3B01-000000007502}68446944C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000A9CF96F)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(00000000109E7BDC)|UNKNOWN(00000000109E768A)|UNKNOWN(00000000109E7189)|UNKNOWN(00000000109E6AB1)|UNKNOWN(000000000A9CD33D)|UNKNOWN(000000000A9CC80F)|UNKNOWN(000000000A9CC575)|UNKNOWN(000000000F450D1C)|UNKNOWN(000000000DA5F005)|UNKNOWN(000000000DA5EEAE) 10341000x8000000000000000347195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.714{6820D070-4E19-6323-3B01-000000007502}68446944C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(00000000109E7E0A)|UNKNOWN(00000000109E7C9F)|UNKNOWN(00000000109E7BAF)|UNKNOWN(00000000109E768A)|UNKNOWN(00000000109E7189)|UNKNOWN(00000000109E6AB1)|UNKNOWN(000000000A9CD33D)|UNKNOWN(000000000A9CC80F)|UNKNOWN(000000000A9CC575)|UNKNOWN(000000000F450D1C)|UNKNOWN(000000000DA5F005)|UNKNOWN(000000000DA5EEAE)|UNKNOWN(000000000DA5EDE8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 23542300x8000000000000000347194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.702{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915155514-013MD5=3EE9864ACDFFE78A8B2E0DEDF704C720,SHA256=3E9075B80C33CFA58EAF977E4450D367AD693E429428DFB55B91DE7FD240E49F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.684{6820D070-4E19-6323-3B01-000000007502}68446212C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000A9CEA8A)|UNKNOWN(000000001BD4E292)|UNKNOWN(000000001BD4DDF6)|UNKNOWN(000000001C285A2D)|UNKNOWN(000000001C28594F)|UNKNOWN(000000001C28AF39)|UNKNOWN(000000001C28AD91)|UNKNOWN(000000001C28AD49)|UNKNOWN(000000001C28A74A)|UNKNOWN(000000001C28AB36)|UNKNOWN(000000001C28A94B)|UNKNOWN(000000001C28A644)|UNKNOWN(000000001C28A24F) 10341000x8000000000000000347192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.684{6820D070-4E19-6323-3B01-000000007502}68446944C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000A9CF96F)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+15b8f(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+fdd2(wow64)|UNKNOWN(000000000A9CF5A6)|UNKNOWN(000000000A9CE7F9)|UNKNOWN(000000000A9CD5BF)|UNKNOWN(000000000A9CD0D0)|UNKNOWN(000000000A9CC80F)|UNKNOWN(000000000A9CC575)|UNKNOWN(000000000F450D1C)|UNKNOWN(000000000DA5F005)|UNKNOWN(000000000DA5EEAE) 10341000x8000000000000000347191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.679{6820D070-4E19-6323-3B01-000000007502}68446944C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000A9CF96F)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000A9CE7F9)|UNKNOWN(000000000A9CD5BF)|UNKNOWN(000000000A9CD0D0)|UNKNOWN(000000000A9CC80F)|UNKNOWN(000000000A9CC575)|UNKNOWN(000000000F450D1C)|UNKNOWN(000000000DA5F005)|UNKNOWN(000000000DA5EEAE)|UNKNOWN(000000000DA5EDE8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000347190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.677{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.675{6820D070-4E19-6323-3B01-000000007502}68446944C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000A9CEA8A)|UNKNOWN(000000000A9CE6E2)|UNKNOWN(000000000A9CD5BF)|UNKNOWN(000000000A9CD0D0)|UNKNOWN(000000000A9CC80F)|UNKNOWN(000000000A9CC575)|UNKNOWN(000000000F450D1C)|UNKNOWN(000000000DA5F005)|UNKNOWN(000000000DA5EEAE)|UNKNOWN(000000000DA5EDE8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64) 10341000x8000000000000000347188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.669{6820D070-4E19-6323-3B01-000000007502}68447200C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000A9CC12F)|UNKNOWN(000000000A9CB5B5)|UNKNOWN(000000000A9C758A)|UNKNOWN(000000000A9C72CD)|UNKNOWN(0000000009399467)|UNKNOWN(00000000093993E7)|UNKNOWN(00000000093991FC)|UNKNOWN(0000000009391BE5)|UNKNOWN(000000000939196E)|UNKNOWN(00000000093918A8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|UNKNOWN(000000001C28A74A)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64) 734700x8000000000000000347187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.638{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET External Data Access SupportMicrosoft® .NET FrameworkMicrosoft Corporationcordacwks.dllMD5=0ACFE06D73EFBCAFACF72A22F7D79E91,SHA256=525591629E48EC84FE78DBC621AE91536E7039B50593B60AD6B3801B1F91EB5A,IMPHASH=F0FBF635B7EFD828980AA6937580AF82trueMicrosoft CorporationValid 10341000x8000000000000000347186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.638{6820D070-4E19-6323-3B01-000000007502}68447000C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64) 10341000x8000000000000000347185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.638{6820D070-4E19-6323-3B01-000000007502}68447000C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000347184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.623{6820D070-4E19-6323-3B01-000000007502}68447000C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000347183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.623{6820D070-4E19-6323-3B01-000000007502}68447000C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000347182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.623{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_d08e1538442a243e\msvcr80.dll8.00.50727.9268Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMSVCR80.DLLMD5=26A95438C2D0E0C41B73D19400F4C2DB,SHA256=CC97DCB66E3150CD14294D21AD0E10C7472DF45CAF37E49675A70ED406882BE2,IMPHASH=7FECBC4A16A5DC85A5394A1DF6217680trueMicrosoft WindowsValid 734700x8000000000000000347181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.623{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationmscorwks.dllMD5=25CEE067AED86FF988C8D31BD7212A21,SHA256=3E0987EFC92F4BCD2798934A70BBEDCADB37899B4F6225279F3685A0DB5BB2F8,IMPHASH=C8D17502D1A38C77CC8770F7291FD333trueMicrosoft CorporationValid 734700x8000000000000000347180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.623{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 734700x8000000000000000347179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.608{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000347178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.608{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000347177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.608{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000347176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.608{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000347175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.584{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=8B516F883167509677B58B9984D8EEA2,SHA256=47F9B88E4038517FC8C5FEB3AC04B21A885EE505143952C96A23FE851869A90E,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000347174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.580{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000347173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.559{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000347172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.559{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=9629C30BA0F10D72FD189FCA987B0E29,SHA256=4DDAF3BB8CE239A8AD41F333AE7D2AD6B7763B9ED8B862695B67F60E5ADE031C,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x8000000000000000347171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.527{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6CE01AB1C2063B171AD7432B130FEBBD,SHA256=F554E9818C54F6C760C6E53BAEABCA3F5CAD683C028460307F3D93C7A8B06F02,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000347170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.527{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120,IMPHASH=25F1E57C7A6ED06AAF329CB7B168FA29trueMicrosoft CorporationValid 734700x8000000000000000347169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.511{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x8000000000000000347168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.511{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000347167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.505{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=1B90C58145F4B3C0743C470793469AD6,SHA256=21D752964E10DBB4DFC589856AA808D31E301B93C9E5FF6D1655D32FBD00AF44,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x8000000000000000347166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.505{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x8000000000000000347165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.489{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000347164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.489{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000347163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.478{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7,IMPHASH=8B861EA72FDD6FC722328B2746B13380trueMicrosoft WindowsValid 734700x8000000000000000347162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.464{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=25ADC994F9AF8716E35487995DDB45CE,SHA256=47B573E7708AAA00F2BE6E8EB7F3CB1B4817E65FACBBB1D772970A8F710DAF61,IMPHASH=6E1D0A92C1917EFBFC1EEA82FA5E155FtrueMicrosoft WindowsValid 734700x8000000000000000347161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.423{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000347160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.423{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000347159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.423{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77,IMPHASH=900F88A34CE398C54C9022F5335E8EA9trueMicrosoft WindowsValid 734700x8000000000000000347158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.423{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000347157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.423{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000347156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.407{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000347155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.400{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000347154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.400{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000347153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.384{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x8000000000000000347152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.384{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=B04953E4C38042AD2628FA49AB42AB5C,SHA256=7B2B4662D3EE0D6DD673C0FEEE4B28E2E16ABF534DF3076497C6B6B40E8BE9C1,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000347151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.380{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Temp\agentteslaa.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exeMD5=57B647DE1931227D624E57CA178F81B3,SHA256=A8AB565E66B75E28BADF2851B481715FE080553F5AE7AFA65BCF1934E262A927,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 734700x8000000000000000347150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.353{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.Pipes.dll6.0.21.52210System.IO.PipesMicrosoft® .NETMicrosoft CorporationSystem.IO.Pipes.dllMD5=EA7FE76F30C84D09A935D61CAA8028DD,SHA256=09330878D5A90173B44D57FFA817AE86E7A19A551FA1DC87E5F73085401A6514,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.380{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000347148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.379{6820D070-4E19-6323-3B01-000000007502}68447316C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+f6f0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+eb46(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a9a1(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000347147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.379{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.378{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.378{6820D070-4B7C-6323-8800-000000007502}628648C:\Windows\system32\csrss.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000347144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.378{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.378{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.377{6820D070-4E19-6323-3B01-000000007502}68447316C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9328(wow64)|C:\Windows\System32\KERNELBASE.dll+d800c(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a871(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a937(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000347141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.376{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exe"C:\Temp\agentteslaa.exe"C:\Temp\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2HighMD5=57B647DE1931227D624E57CA178F81B3,SHA256=A8AB565E66B75E28BADF2851B481715FE080553F5AE7AFA65BCF1934E262A927,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 734700x8000000000000000347140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.353{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Console.dll6.0.21.52210System.ConsoleMicrosoft® .NETMicrosoft CorporationSystem.Console.dllMD5=A9DC3BBD8195E7D81166401EDA15311F,SHA256=0FF716986D219C72C0AC9AB96CC29B6A92B6FA3BB827D13FF2AD886BAE67C0A0,IMPHASH=00000000000000000000000000000000true.NETValid 10341000x8000000000000000347139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.376{6820D070-4AD1-6323-1000-000000007502}4286492C:\Windows\System32\svchost.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.337{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationmscorwks.dllMD5=25CEE067AED86FF988C8D31BD7212A21,SHA256=3E0987EFC92F4BCD2798934A70BBEDCADB37899B4F6225279F3685A0DB5BB2F8,IMPHASH=C8D17502D1A38C77CC8770F7291FD333trueMicrosoft CorporationValid 23542300x8000000000000000347137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.284{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2685BA8E834B97570792184D7CAD8D3F,SHA256=D840B0DF051C2624A52EE88B2B732A6886C8304749BF68BFC2A84DAB9EE17466,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.221{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_d08e1538442a243e\msvcr80.dll8.00.50727.9268Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMSVCR80.DLLMD5=26A95438C2D0E0C41B73D19400F4C2DB,SHA256=CC97DCB66E3150CD14294D21AD0E10C7472DF45CAF37E49675A70ED406882BE2,IMPHASH=7FECBC4A16A5DC85A5394A1DF6217680trueMicrosoft WindowsValid 10341000x8000000000000000347135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.237{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.199{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Debugging ServicesMicrosoft® .NET FrameworkMicrosoft Corporationmscordbi.dllMD5=3EC5E57DE99ADCD975E2447DA34AA6A9,SHA256=09FBDF531A60D66B7C911CC3ECC05C62506D442F0D778399B62985DF24845E43,IMPHASH=576AFCE6C6BCCCE6C07B4EC3638A6879trueMicrosoft CorporationValid 734700x8000000000000000347133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.152{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 734700x8000000000000000347132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.137{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120,IMPHASH=25F1E57C7A6ED06AAF329CB7B168FA29trueMicrosoft CorporationValid 734700x8000000000000000347131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.106{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77,IMPHASH=900F88A34CE398C54C9022F5335E8EA9trueMicrosoft WindowsValid 10341000x8000000000000000347130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.015{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.015{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:34.015{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:35.531{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9132EE3AD0AA0ADF9C9D8552591615,SHA256=2A074D0958FBAE7F5582C856EA3E42CE3E7DC7773FECBA99E85783D9525A5A6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.969{6820D070-4E19-6323-3B01-000000007502}68446944C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(000000001C5409CB)|UNKNOWN(000000001C540951)|UNKNOWN(000000001C5408C5)|UNKNOWN(000000001C5407EE)|UNKNOWN(000000001C5406FA)|UNKNOWN(000000000F450D1C)|UNKNOWN(000000000DA5F005)|UNKNOWN(000000000DA5EEAE)|UNKNOWN(000000000DA5EDE8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 734700x8000000000000000347261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.961{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll2.0.50727.8745 (WinRel.050727-8700)WMINet_Utils.dllMicrosoft® .NET FrameworkMicrosoft CorporationWMINet_Utils.dllMD5=FE3A877218F498F90DD1D097FB770BFA,SHA256=7B7AB5348E3143DB00D0FCE36E5A75867046B5C60FC52DC9E0A166CA2FDF714E,IMPHASH=422758B458E7A457D744549F961156CCtrueMicrosoft CorporationValid 734700x8000000000000000347260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.855{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.856{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.854{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.830{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000347256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.830{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000347255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.831{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000347254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.807{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000347253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.805{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000347252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.801{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000347251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.799{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2F,IMPHASH=844732D10340F10C1E97778BA10CF30EtrueMicrosoft WindowsValid 734700x8000000000000000347250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.811{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.5246 (rs1_release.220701-1744)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=2A16D108FE99577ABCC08B92F2765971,SHA256=AF5268F39CE35FA3215E8162A0BF4C1949D0F5FB7A284953362ED23507C5697F,IMPHASH=36E120EA05F8714D20693A7DA02D7326trueMicrosoft WindowsValid 734700x8000000000000000347249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.795{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000347248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.802{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000347247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.794{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000347246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.790{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000347245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.785{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 734700x8000000000000000347244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.777{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587B,IMPHASH=34AF29CE553D01A9CE643682A40D7CB5trueMicrosoft WindowsValid 734700x8000000000000000347243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.783{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9,IMPHASH=CAC6B3339C5CAA083E24A4484EE86E29trueMicrosoft WindowsValid 10341000x8000000000000000347242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.781{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.775{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040C,IMPHASH=789B4484C292CAC32E0806DEE3E8734AtrueMicrosoft WindowsValid 734700x8000000000000000347240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.772{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6D,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 10341000x8000000000000000347239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.743{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.743{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.743{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.739{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.739{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.739{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000347233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.679{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.679{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.679{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.663{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.663{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.663{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 23542300x8000000000000000347227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.711{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915155511-014MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.679{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.625{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.625{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.625{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.563{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll8.0.50727.8745 (WinRel.050727-8700)Dia based SymReaderMicrosoft® Visual Studio® 2005Microsoft Corporationdiasymreader.dllMD5=7D6A7AD508368F8A41E19A593BF8152A,SHA256=9385717A62043C46A22A99893139475ACB44C0096DDE9954C9BDED721F4581A2,IMPHASH=E2ADD10FCF5C120524D6149FB9E129DEtrueMicrosoft CorporationValid 734700x8000000000000000347221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.450{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationmscorjit.dllMD5=942A0FD4301180517656DF2D7DF45574,SHA256=B9648A085BD060F253D28351E5FED798CE5893B69FA4E221D44C99F460D05936,IMPHASH=458AE5B7483D2B3344CEEB01EB67E386trueMicrosoft CorporationValid 23542300x8000000000000000347220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.466{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA750190DC2EB9EEBF9232E4766FED91,SHA256=5159C587E278BA30D22CE59F8B19E19069BF555BA62D6BFE238FA5E70F5E5E24,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.444{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x8000000000000000347218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.422{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 10341000x8000000000000000347217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.444{6820D070-4AD1-6323-1500-000000007502}12201948C:\Windows\system32\svchost.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.444{6820D070-4AD1-6323-1500-000000007502}12201256C:\Windows\system32\svchost.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.366{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.FileVersionInfo.dll6.0.21.52210System.Diagnostics.FileVersionInfoMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.FileVersionInfo.dllMD5=7A821EAD4D7540D01F04760B7BFC2E44,SHA256=C81E962AE4948E463E2A48A5C4BFFE917AD8344329229C3E4BCB7C8E20DCD2A1,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.303{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6,IMPHASH=8B487D2FE53FD7CA3451BEAFFC8EF197trueMicrosoft WindowsValid 734700x8000000000000000347213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.292{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.Diagnostics.Runtime.dll1.1.2.42101Microsoft.Diagnostics.RuntimeMicrosoft.Diagnostics.RuntimeMicrosoft CorporationMicrosoft.Diagnostics.Runtime.dllMD5=F35A1B0788CE8A649D5D770AED379536,SHA256=47ADF5F9EED9C87ADA36BF0D9B3848632C0AFF44FB6DE456CCC57BD56B379CB2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.242{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Globalization SupportMicrosoft® .NET FrameworkMicrosoft Corporationculture.dllMD5=22E9113EA0D1D8252314F23BAD16DD36,SHA256=A731E05FCFCE0B9FCF449DFB589A49C09FC63593D61676F5EE3977CBD47C64A9,IMPHASH=104E17C81D918D1C093DA532DC4F4DBEtrueMicrosoft CorporationValid 734700x8000000000000000347211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.239{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.239{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.251{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000347208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.175{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000347207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.172{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000347206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.165{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B05DBB473918152F51A7F5A10FE250C7,SHA256=85EA95E8D8B1123288E84E5DC8502584288D67B2C692B118411F37774479498B,IMPHASH=A7A8E1C7D8A348EDDDA81702A2FEC068trueMicrosoft WindowsValid 10341000x8000000000000000347205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.296{6820D070-4E19-6323-3B01-000000007502}68447200C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000001C08F4E2)|UNKNOWN(000000001C08F2E8)|UNKNOWN(000000001C08EDD0)|UNKNOWN(000000001C08E08C)|UNKNOWN(000000001C08DC0D)|UNKNOWN(000000000A9CB69C)|UNKNOWN(000000000A9C758A)|UNKNOWN(000000000A9C72CD)|UNKNOWN(0000000009399467)|UNKNOWN(00000000093993E7)|UNKNOWN(00000000093991FC)|UNKNOWN(0000000009391BE5)|UNKNOWN(000000000939196E)|UNKNOWN(00000000093918A8) 23542300x8000000000000000347204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.274{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96308B21862E6F9C6079DD7FB5B62E39,SHA256=73EB106ABBB8ED1564BB280DE469D034D5F122233A97CCB854115F9982A8D3F2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.117{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=65BF71AD92E68AC9BCDFA13C5FF0959D,SHA256=14FDD181EF550EAE500F4B617877BD2DC04827704704A56DCF30446AEEA2882A,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 734700x8000000000000000347202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.167{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000347201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:35.119{6820D070-4E3E-6323-4301-000000007502}7304C:\Temp\agentteslaa.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 23542300x8000000000000000190227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:36.726{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B614F690DFE057C495AD5BF2A410EBE,SHA256=4149ABDA94D478EBC2ADBFC3BF318CEA9168636FBFE590E00196B56E336BD25C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:36.573{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43C163840ABE8EFA8FA3CBFB1621B02A,SHA256=AB9E06A0855E1E941CD06D2224DD5ECE425EF12FD03AA108FABC7E09763701FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000347263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:33.251{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63518-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:37.910{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=081F7EBB399A2BEBC7117B409753F7AD,SHA256=F33C24CCCE7AF05E98779AC455496323538393DBA3D6C04AD0BA116506DD0181,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:37.428{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E02ED9F4B09530DCA5B26ABD749016,SHA256=E89115820308E126C85639D775FBD4EC6ECD945DB340F42EF34E7504BA628A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:38.568{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3B276FA315D761F116EA253EC12C173,SHA256=FD2848222401A4C8DAEE2E614B280A423EF9840900CD2FFDAFBDD92D7B9965F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:35.437{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49866-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 534500x8000000000000000347269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:38.323{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe 734700x8000000000000000347268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:38.299{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\vcruntime140_cor3.dll14.29.30130.2 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio®Microsoft Corporationvcruntime140.dllMD5=F593C4EC900F38DAC2D7919DC88B8766,SHA256=F765EDCAEDFA38873A7B2ECF1500AC1F90EBA112A8D27C53F45063098DCE87B5,IMPHASH=B06D4116DA69A513992D529F84731E6FtrueMicrosoft CorporationValid 23542300x8000000000000000347267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:38.283{6820D070-4E19-6323-3B01-000000007502}6844ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Roaming\dnSpy\dnSpy.xmlMD5=E03D2E9CBB246ECA5AC19B1137AAA90A,SHA256=A8756A57061D01AA374C200DF789CE8096754AC27A9B778C2844A6D41998150F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:38.252{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E19-6323-3B01-000000007502}6844C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1a375|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.982{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\syncui.dll10.0.14393.2608 (rs1_release.181024-1742)Windows BriefcaseMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCUI.DLLMD5=D3CD7E690590A1AD564C832DFE1A1922,SHA256=F3CB2B362A0970B106D8B5F27F80D019931090D3ED579C72182163502BA212B7,IMPHASH=39745F2E08404A86C1D135E2AB69B2B1trueMicrosoft WindowsValid 10341000x8000000000000000347300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.982{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.982{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.982{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\shacct.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Shell Accounts ClassesMicrosoft® Windows® Operating SystemMicrosoft Corporationshacct.dllMD5=6C3405DC9DB5740B6B2AD3AF67031A2E,SHA256=223153AF2A71D3549CCE25D3EAA294DD44471EA8A0733E5AC1EFD7D99D03886E,IMPHASH=F9EDABA9B540C273AC125BA9D119C3AAtrueMicrosoft WindowsValid 734700x8000000000000000347297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.951{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\twext.dll10.0.14393.5192 (rs1_release.220610-1622)Previous Versions property pageMicrosoft® Windows® Operating SystemMicrosoft Corporationtwext.dllMD5=AD23E6F6DDBC81B6BB5846536765DF1E,SHA256=9A3872A585E0F664A12F102E5C4D771A17B583F01FF6A4C9C2A2E0696055B3E7,IMPHASH=29C3BF5A3E76E3AC1BA5E32244E9991FtrueMicrosoft WindowsValid 10341000x8000000000000000347296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.772{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.770{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.766{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 23542300x8000000000000000347293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.717{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\startupCache\startupCache.8.littleMD5=87EEB511D494F25937C3749BD4577EAF,SHA256=9DEFAC3CC428B67C6370BCFBD39FE3EDCD95E501899A4164259A43EBE571BDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.632{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C679E47E72DB1F6278478DA4589E96C,SHA256=1422FBFE756612129AC0A67C2EDFB65BE9B8B9ECC27D7D500122E424CA949DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:39.009{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2461A771373CAE2495DB4C29E4820E,SHA256=C002478A5ECAD103E338859C5BC26B83BD1D4E1DB33A2DE0CB70847F945A1F6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.356{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.350{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.344{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.334{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.327{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.324{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.322{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.319{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.309{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.273{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.266{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.261{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.249{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.238{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.229{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.216{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.209{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.197{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.189{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.150{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.147{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 23542300x8000000000000000190231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:40.105{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76738E40CE524CFFDF793CEBA92139D8,SHA256=FAC0A77B7C4635BB0984EB6658C542A19C5700087257710B3C6F2693C2DDC635,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000347324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localInvDBSetValue2022-09-15 16:09:40.329{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exeHKU\S-1-5-21-2725908065-3830167236-2451934224-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Users\Administrator\Downloads\dnSpy.exeBinary Data 734700x8000000000000000347323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.251{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\EhStorAPI.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Enhanced Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationEhStorapi.dllMD5=1287D2464B3F71ECC99316991E038B0B,SHA256=7FFA04958C7E76E42712E8D9E03037E3E98E2A6E1A6D277E48A76C55F4E794E8,IMPHASH=33685761AD2886071A8D7CFB81130BEAtrueMicrosoft WindowsValid 734700x8000000000000000347322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.251{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 734700x8000000000000000347321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.213{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\DevDispItemProvider.dll10.0.14393.0 (rs1_release.160715-1616)DeviceItem inproc devquery subsystemMicrosoft® Windows® Operating SystemMicrosoft CorporationDevDispItemProvider.dllMD5=CCDEFAE1F31F9F9AED64686A143D3D0A,SHA256=CF96EB0C3422628398D218152A729221C0F5D09F287E083AE88ECD77DB2C11BC,IMPHASH=B96B407351B4F23871E4087C6E937148trueMicrosoft WindowsValid 734700x8000000000000000347320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.213{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\PlayToDevice.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)PLAYTODEVICE DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPlaytoDevice.dllMD5=F16F9896C90C06D66C3538AD9DA011F7,SHA256=EF2A5483794B7E4D836393CF2F4C3A065719855C16933D25C219E620BB692A8A,IMPHASH=C336F93278ACA9710F465E21059D5842trueMicrosoft WindowsValid 734700x8000000000000000347319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.193{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\dlnashext.dll10.0.14393.4169 (rs1_release.210107-1130)DLNA Namespace DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationdlnashext.dllMD5=DB3FEFF8118F622BEF9D5019F07AC2CA,SHA256=83A075102103FAB6DDF5890B01CFD5E74BAB722F24EDA78ED7DCDD55325B7678,IMPHASH=2C687E2BD4D0FE6C08716DC497583D88trueMicrosoft WindowsValid 354300x8000000000000000347318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:38.299{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63519-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000347317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.151{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\mydocs.dll10.0.14393.4169 (rs1_release.210107-1130)My Documents Folder UIMicrosoft® Windows® Operating SystemMicrosoft Corporationmydocs.dllMD5=999FD44CF5713852E6083A43A7917761,SHA256=D5C75951C29B7F0AAA4EC9E9AB3195933E650C1F171092F389FD4DB66CA1CA20,IMPHASH=D1267CC8F49B54A66A0034D2C4452E93trueMicrosoft WindowsValid 734700x8000000000000000347316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.136{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\sendmail.dll10.0.14393.4169 (rs1_release.210107-1130)Send MailMicrosoft® Windows® Operating SystemMicrosoft CorporationSENDMAIL.DLLMD5=04626525E567811FC7ECB3E31D94F8B0,SHA256=678A3A9DD713DC61F72112BD3160B8753F1A50D1179FDFABD265C32103980A6A,IMPHASH=52DBB027F849F4DB11CB3C2B56C0E9FBtrueMicrosoft WindowsValid 734700x8000000000000000347315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.103{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\msi.dll5.0.14393.5192Windows InstallerWindows Installer - UnicodeMicrosoft Corporationmsi.dllMD5=B7A63EC8461AA5F92B1876305DE9800D,SHA256=FA052CEC7744320872CD4CFCBD4F1D56ABBCC67702B832884B8F60F93C191D45,IMPHASH=921305700F902B8CB66358D10709E873trueMicrosoft WindowsValid 734700x8000000000000000347314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.052{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\sfc.dll10.0.14393.0 (rs1_release.160715-1616)Windows File ProtectionMicrosoft® Windows® Operating SystemMicrosoft Corporationsfc.dllMD5=22BEEEDFF247B8F90252646C91E775E5,SHA256=10F0FF6F6F21CCC3343BCBCC9B5158A95EC328C1C21F3B9482C688848B89E1DD,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000347313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.052{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\acppage.dll10.0.14393.4169 (rs1_release.210107-1130)Compatibility Tab Shell Extension LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationacppage.dllMD5=A160D66CED8CFE5D47AA93EB23042BBD,SHA256=172A7CA4C3A65A7DE15797219B6CB29F867074C2E62874EFDFBE1F52970EA8E9,IMPHASH=FC3DD41461C2A75DF5F9BB15953B5B4FtrueMicrosoft WindowsValid 734700x8000000000000000347312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.052{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\zipfldr.dll10.0.14393.4169 (rs1_release.210107-1130)Compressed (zipped) FoldersMicrosoft® Windows® Operating SystemMicrosoft CorporationZIPFLDR.DLLMD5=4849E9F93A0F34EC87F82E26049B47FD,SHA256=ADA89724741D0053E8322199764BDF5B39F7B94C0D973248D5FC7AF2F59C8590,IMPHASH=FA770D60A54EF20694B1F385EAA957B5trueMicrosoft WindowsValid 10341000x8000000000000000347311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.036{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.036{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Program Files\7-Zip\7-zip.dll22.017-Zip Shell Extension7-ZipIgor Pavlov7-zip.dllMD5=C3AF132EA025D289AB4841FC00BB74AF,SHA256=56B1148A7F96F730D7085F90CADDA4980D31CAD527D776545C5223466F9FFB52,IMPHASH=BC6A26B410657FD67B33DDBF731FD14Dfalse-Unavailable 10341000x8000000000000000347309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.036{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.036{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.036{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.036{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.9247_none_08e394a1a83e212f\msvcr90.dll9.00.30729.9247Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2008Microsoft CorporationMSVCR90.DLLMD5=478709DF780F6498B71BC3BDD5004514,SHA256=15535EE0DC5F14284FBF1DD975FFECE2CA45547E03752A6ABACFC54B6099D2F5,IMPHASH=8C15E10A91D42E14910D94E0A47560FBtrueMicrosoft CorporationValid 734700x8000000000000000347305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.008{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Program Files\Notepad++\NppShell_06.dll0.1ShellHandler for Notepad++ (64 bit)--NppShell64.dllMD5=1FD3BEE83F987DC33C05251A7738DB0B,SHA256=C678471FC86FA3D91A15072F58474271193E09BA150400431B549605A8DDCC7D,IMPHASH=5C0EDB7E35310FF8F3AABE7A6043F076trueNotepad++Valid 734700x8000000000000000347304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.982{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\samlib.dll10.0.14393.4530 (rs1_release.210705-0736)SAM Library DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMLib.DLLMD5=92CD5DA45ABA4CE45313783FCB345D99,SHA256=B0F20BE2B144056E488F8FF51E266F426625E64E3C91CCD17895A441A0935C46,IMPHASH=7712978A8D93CC3BE5668BB2C1A9F990trueMicrosoft WindowsValid 734700x8000000000000000347303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:40.014{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\msimg32.dll10.0.14393.0 (rs1_release.160715-1616)GDIEXT Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationgdiextMD5=78DA58DF85F86CA61E5EAFB9EF0A83BE,SHA256=3216205F5C355D582EC4B902651B62E1FF3EFFDCA40BC849D474F13F1325E962,IMPHASH=2E671B0A6A313B7E8765124B944DA4FEtrueMicrosoft WindowsValid 734700x8000000000000000347302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:39.982{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\synceng.dll10.0.14393.0 (rs1_release.160715-1616)Windows Briefcase EngineMicrosoft® Windows® Operating SystemMicrosoft CorporationSYNCENG.DLLMD5=A683B60F1A5FAC27D1173F937403ED1B,SHA256=57450827A7F7D880F236F27A1D92654A3284842226539A26F311CFA736083571,IMPHASH=0A2DBAAA924DBD2D0A4335D1E0E9A7C9trueMicrosoft WindowsValid 23542300x8000000000000000190233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:41.824{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9DF4F5F346510078DF84529012F3ACF3,SHA256=8C7C4D66A18AADD62BEF817BE528E270DBB84383EB1EE9D1AF8C7B286F5D4564,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:41.196{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0C6491D90E48BEDD46ACE4F7FD2CABA,SHA256=9BDD81CB64CDE23979163F32E4AE631E3B5C03E017DF11591C3AD076523D4F2D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:41.798{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:41.797{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:41.793{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:41.791{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:41.789{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:41.787{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 23542300x8000000000000000347325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:41.069{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF6D4748665E31A68AA8E24381C419A1,SHA256=A9BC6C9C5DF5F149C3B443E78D4B113ADBBAE0D0659AEEF28E2330EFC33A1E2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:42.261{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67A739DC4A0565764F06433C81E433CC,SHA256=EF261C7077A3D0346792530B803E4263B4C06128C48424328FA6902EF659D688,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.943{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\netstandard.dll6.0.21.52210netstandardMicrosoft® .NETMicrosoft Corporationnetstandard.dllMD5=2A71DC426DD2233C09557AA5080C2728,SHA256=B327E1C2E0D91150ED8D96D958C3F605BBE197DE6458D8E45901FADD3CF439F1,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.943{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnlib.dll3.5.0.0dnlib (thread safe)dnlib0xd4ddnlib.dllMD5=0B803121812D241F8FC1B8E53E8E965B,SHA256=ECF5D926A965B89F1427514EF03DF543A48FD26464CA5D6EB27EB0A7E3D7AA5A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.936{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Tracing.dll6.0.21.52210System.Diagnostics.TracingMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Tracing.dllMD5=C82FD113C35576BC608EE13460AC7DE6,SHA256=8A87E2AB0BBFC3EE4BDB0FF5303227183D46661A2F73DBB598A7240341217B3F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.921{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.DnSpy.dll6.2.0.0dnSpy.Contracts.DnSpydnSpy.Contracts.DnSpydnSpy.Contracts.DnSpydnSpy.Contracts.DnSpy.dllMD5=96B94DB45C774280FA3E5380F19BAF73,SHA256=A1F2EA0B03E0C6BC2E68F7B4276C165B0B00872A3FB2989C913EEECF470608A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 10341000x8000000000000000347424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.911{6820D070-4AD1-6323-1500-000000007502}12201948C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.910{6820D070-4AD1-6323-1500-000000007502}12201256C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.895{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x8000000000000000347421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.895{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.dll6.0.21.52210System.RuntimeMicrosoft® .NETMicrosoft CorporationSystem.Runtime.dllMD5=5DDDA9B5710F5C90C29696AEAC0EF6BB,SHA256=E39B9A9384B8D108D4DD447586E2C9104255B5B3B6A8B491AA2F8CC3DE017A49,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.895{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.dll6.2.0.0dnSpydnSpydnSpydnSpy.dllMD5=DEA0738CCCA15F581AC879F61DD01C2B,SHA256=90964FA6F7FCC82C95D995D94C3F23248B2D471E2FFAF56378234FA4EFD90286,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 10341000x8000000000000000347419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.816{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000347418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.817{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\clrjit.dll6,0,21,52210 @Commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6Microsoft .NET Runtime Just-In-Time CompilerMicrosoft® .NETMicrosoft Corporationclrjit.dllMD5=8E8CC90EB531C0E33F5B6B00F4DABA67,SHA256=266CDA8125B98EE9B95B0A5A952982163DE3FFD42BB0FA7CB3D09D8C9F282BAF,IMPHASH=548C91713A58B402BCB54FA5F1BD6650true.NETValid 10341000x8000000000000000347417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.815{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.815{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.811{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.810{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.810{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000347412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.774{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll6.0.21.52210System.Private.CoreLibMicrosoft® .NETMicrosoft CorporationSystem.Private.CoreLib.dllMD5=CEB531F02904C027960273F98BAE9C41,SHA256=CE8E92CACC5DBEEF25D046707ABEDAD5501378020041D23E5F42134CFE651883,IMPHASH=00000000000000000000000000000000true.NETValid 23542300x8000000000000000347411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.720{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=712E7852640C4724DBA9A3FCB9C69C73,SHA256=3624B06CD63D66110FDBB533FF42B0676C94B4AF7A13B8390C02866FF6EE76EB,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000347410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:09:42.634{6820D070-4E46-6323-4401-000000007502}5176\dotnet-diagnostic-5176C:\Users\Administrator\Downloads\dnSpy.exe 734700x8000000000000000347409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.634{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000347408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.634{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000347407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.634{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 734700x8000000000000000347406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.634{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\coreclr.dll6,0,21,52210 @Commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6Microsoft .NET RuntimeMicrosoft® .NETMicrosoft CorporationCoreCLR.dllMD5=E2FACF2F73C251FCF034BFE926A44893,SHA256=2D52B48020B91C661C3C9CE0970F525ED2C0E1723669FFDBD8460F6532FADF54,IMPHASH=33015E36A96617B4B11824371A68A2FDtrue.NETValid 734700x8000000000000000347405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.588{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\hostpolicy.dll6,0,21,52210 @Commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6.NET Host Policy - 6.0.0Microsoft® .NET FrameworkMicrosoft Corporation.NET Host Policy - 6.0.0MD5=B7B65B552E6CE21529611B55A52CA104,SHA256=D8B768FE1784B1FCC5648669DC2BEF0C84C9A6219A4C7ED185A9FAF385C19350,IMPHASH=761C2F542982EB2D9490FFF2D186431Atrue.NETValid 734700x8000000000000000347404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.578{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\hostfxr.dll6,0,21,52210 @Commit: 4822e3c3aa77eb82b2fb33c9321f923cf11ddde6.NET Host Resolver - 6.0.0Microsoft® .NET FrameworkMicrosoft Corporation.NET Host Resolver - 6.0.0MD5=22360C3D2CD8F036ACEB6BB2D647DE28,SHA256=BEFA74AB5C3C92CED6E339DF5C97FD5F2CACC27FDD2F98B021FC63301EAC81B9,IMPHASH=842E74F1E5BCF2B7DBFF6C5965847D3Atrue.NETValid 734700x8000000000000000347403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.562{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000347402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.561{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000347401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.561{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000347400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.560{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000347399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.560{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6CE01AB1C2063B171AD7432B130FEBBD,SHA256=F554E9818C54F6C760C6E53BAEABCA3F5CAD683C028460307F3D93C7A8B06F02,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000347398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.559{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7,IMPHASH=8B861EA72FDD6FC722328B2746B13380trueMicrosoft WindowsValid 734700x8000000000000000347397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.559{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000347396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.559{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000347395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.558{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x8000000000000000347394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.558{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000347393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.558{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=1B90C58145F4B3C0743C470793469AD6,SHA256=21D752964E10DBB4DFC589856AA808D31E301B93C9E5FF6D1655D32FBD00AF44,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x8000000000000000347392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.557{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x8000000000000000347391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.557{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000347390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.557{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=9629C30BA0F10D72FD189FCA987B0E29,SHA256=4DDAF3BB8CE239A8AD41F333AE7D2AD6B7763B9ED8B862695B67F60E5ADE031C,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x8000000000000000347389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.556{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B05DBB473918152F51A7F5A10FE250C7,SHA256=85EA95E8D8B1123288E84E5DC8502584288D67B2C692B118411F37774479498B,IMPHASH=A7A8E1C7D8A348EDDDA81702A2FEC068trueMicrosoft WindowsValid 734700x8000000000000000347388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.556{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x8000000000000000347387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.555{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000347386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.555{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=65BF71AD92E68AC9BCDFA13C5FF0959D,SHA256=14FDD181EF550EAE500F4B617877BD2DC04827704704A56DCF30446AEEA2882A,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 734700x8000000000000000347385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.554{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=8B516F883167509677B58B9984D8EEA2,SHA256=47F9B88E4038517FC8C5FEB3AC04B21A885EE505143952C96A23FE851869A90E,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000347384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.553{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000347383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.553{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000347382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.553{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000347381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.552{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=25ADC994F9AF8716E35487995DDB45CE,SHA256=47B573E7708AAA00F2BE6E8EB7F3CB1B4817E65FACBBB1D772970A8F710DAF61,IMPHASH=6E1D0A92C1917EFBFC1EEA82FA5E155FtrueMicrosoft WindowsValid 734700x8000000000000000347380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.551{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000347379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.550{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000347378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.550{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000347377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.550{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000347376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.549{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000347375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.549{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000347374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.548{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000347373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.548{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x8000000000000000347372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.547{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=B04953E4C38042AD2628FA49AB42AB5C,SHA256=7B2B4662D3EE0D6DD673C0FEEE4B28E2E16ABF534DF3076497C6B6B40E8BE9C1,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000347371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.547{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000347370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.547{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\dnSpy.exe6.2.0.0dnSpydnSpydnSpydnSpy.dllMD5=601BD36E59620AE5EC97C3DFB81B5202,SHA256=D5D1BD64C251D567F0340F89B0355F750284F34168BA64F40033D1494DEE1348,IMPHASH=FFFF45487D1E51FA972C8409931457DFfalse-Unavailable 10341000x8000000000000000347369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.546{6820D070-4AD1-6323-1000-000000007502}4286492C:\Windows\System32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.546{6820D070-4AD1-6323-1000-000000007502}4281028C:\Windows\System32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.546{6820D070-4AD1-6323-1000-000000007502}4281028C:\Windows\System32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.544{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.544{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.544{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.544{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.544{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000347361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.543{6820D070-4B7F-6323-9900-000000007502}29725892C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e73b|C:\Windows\System32\windows.storage.dll+16e451|C:\Windows\System32\windows.storage.dll+16e09e|C:\Windows\System32\windows.storage.dll+16f340|C:\Windows\System32\windows.storage.dll+16ddee|C:\Windows\System32\windows.storage.dll+fce8d|C:\Windows\System32\windows.storage.dll+fd5cc|C:\Windows\System32\windows.storage.dll+fc930|C:\Windows\System32\windows.storage.dll+16650a|C:\Windows\System32\windows.storage.dll+166262|C:\Windows\System32\SHELL32.dll+9cafd|C:\Windows\System32\SHELL32.dll+9b696|C:\Windows\System32\SHELL32.dll+8dfa9|C:\Windows\System32\SHELL32.dll+cf48e|C:\Windows\System32\SHELL32.dll+18377c|C:\Windows\System32\SHELL32.dll+19e928|C:\Windows\System32\SHELL32.dll+2845c3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+183a20 154100x8000000000000000347360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.540{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe6.2.0.0dnSpydnSpydnSpydnSpy.dll"C:\Users\Administrator\Downloads\dnSpy.exe" C:\Users\Administrator\Downloads\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2HighMD5=601BD36E59620AE5EC97C3DFB81B5202,SHA256=D5D1BD64C251D567F0340F89B0355F750284F34168BA64F40033D1494DEE1348,IMPHASH=FFFF45487D1E51FA972C8409931457DF{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 10341000x8000000000000000347359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.479{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.476{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.473{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.470{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.464{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.461{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.459{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.456{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.452{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.450{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.440{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.409{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.405{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.394{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.359{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.347{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.329{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.324{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.321{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.319{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.316{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.314{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.312{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.307{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.306{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.304{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000347333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.303{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 23542300x8000000000000000347332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:42.133{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A61419CEE0EBF9764D504117CF630D79,SHA256=244976E7CF1FB22266B92E8F2E833BAA64165439C6C56786D8882F6C9C90BF9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:43.990{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:43.980{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:43.975{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:43.964{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:43.952{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:43.944{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:43.934{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:43.930{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 354300x8000000000000000190236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:41.316{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49867-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:43.453{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=400D0ADB1C88944E1D73E3000FEF4EE7,SHA256=A86EE74DF335406E3096D2FB7F929F45E79E2ABC479AA6933721D7C69E3219C2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.996{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Interpreter.dll6.2.0.0dnSpy.Debugger.DotNet.InterpreterdnSpy.Debugger.DotNet.InterpreterdnSpy.Debugger.DotNet.InterpreterdnSpy.Debugger.DotNet.Interpreter.dllMD5=80E8A0AB7E9FB61EA11B69A9D05CE2F8,SHA256=12770EDE0DC53FE6B8D8C04EBA86D8D76421E1EA63D15E751E4D2C28B98DA334,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.981{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.CorDebug.dll6.2.0.0dnSpy.Contracts.Debugger.DotNet.CorDebugdnSpy.Contracts.Debugger.DotNet.CorDebugdnSpy.Contracts.Debugger.DotNet.CorDebugdnSpy.Contracts.Debugger.DotNet.CorDebug.dllMD5=8A66D528C4032948391D9279B4FBCA7C,SHA256=216CF81D33D53D8643DD838AD67E303BD502B9F1008D18DC9896164C093D915E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.981{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.Mono.dll6.2.0.0dnSpy.Contracts.Debugger.DotNet.MonodnSpy.Contracts.Debugger.DotNet.MonodnSpy.Contracts.Debugger.DotNet.MonodnSpy.Contracts.Debugger.DotNet.Mono.dllMD5=2E41332FA869D94289B7D0F4B527D535,SHA256=49916D030C6C4B64D5F600DFD9EF82F77ED9F5A4E4CE1E5DDDC328DB0C46AD6F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.981{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.Decompiler.dll2.4.0.0ICSharpCode.DecompilerICSharpCode.Decompileric#codeICSharpCode.Decompiler.dllMD5=49546DA1624C7DD035610BC873B805D2,SHA256=3227C3D97F4E72D050FD1C7489AF73A152A71685F20259479456F5E72B6B88E0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.981{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.Scripting.dll4.100.22.11411Microsoft.CodeAnalysis.ScriptingMicrosoft.CodeAnalysis.ScriptingMicrosoft CorporationMicrosoft.CodeAnalysis.Scripting.dllMD5=9DAC579574D4A584C9FAA2CE069C72DC,SHA256=922E63F0A6DEFE5E91F49D37C5D850B068B814716CC88717DB84B971EF7B0FF0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.981{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.ExpressionEvaluator.dll1.0.0.0Microsoft.CodeAnalysis.ExpressionEvaluatorMicrosoft.CodeAnalysis.ExpressionEvaluatorMicrosoft.CodeAnalysis.ExpressionEvaluatorMicrosoft.CodeAnalysis.ExpressionEvaluator.dllMD5=29ED82A333B07338E488092EAC8386E5,SHA256=6C872F450B3E7E30E09770EED605DA993E57DB6C0DC83537E5C8070855A97053,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.981{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Drawing.Primitives.dll6.0.21.52210System.Drawing.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Drawing.Primitives.dllMD5=5AE6A1091BD1147025C08AB08CD311B7,SHA256=A5AFBC45932CA897078CE8C3724D505AABCD83283599C5AB6C8A2440F4355ECE,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.981{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Iced.dll1.17.0.0IcedIcediced project and contributors <https://github.com/icedland>Iced.dllMD5=83224DF19D221DC0D4B0C8125D7C978F,SHA256=0763EAF4A7A3A7798DEB16F7138D454062868914A5226EF2BF512D3D19662714,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.965{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.SystemEvents.dll6.0.21.52210Microsoft.Win32.SystemEventsMicrosoft® .NETMicrosoft CorporationMicrosoft.Win32.SystemEvents.dllMD5=0440D9F939D0FDD4FC2040FABAB3859D,SHA256=6C3E08963E20CCE095FBF02789C7D35390E2D834B2A8E46064CE060D48AE52A4,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.965{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Windows.Forms.dll6.0.21.52301System.Windows.FormsMicrosoft® .NETMicrosoft CorporationSystem.Windows.Forms.dllMD5=F4149173A305B8701477D0175E6C814D,SHA256=B9AEAFE5A5F45AEBA4E4BD4E16BECF4F54BE536BB1C8914C292A8978FA76744A,IMPHASH=00000000000000000000000000000000true.NETValid 23542300x8000000000000000347517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.886{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC4AFBC24C92730B2E67563AC6D2BFA,SHA256=BDCF0A983B0CB3703C6E3787BD53F5115935743E45FEFC4318D4F1CBB04BD912,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.855{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.Features.dll4.100.22.11411Microsoft.CodeAnalysis.FeaturesMicrosoft.CodeAnalysis.FeaturesMicrosoft CorporationMicrosoft.CodeAnalysis.Features.dllMD5=41A8D32C5428DFA29B7E837B89BB36BC,SHA256=E619919D846A23E0D1DAA6515D289235F09F5EE69B1D7AF6DC78E2C285160F00,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.764{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Metadata.dll6.2.0.0dnSpy.Debugger.DotNet.MetadatadnSpy.Debugger.DotNet.MetadatadnSpy.Debugger.DotNet.MetadatadnSpy.Debugger.DotNet.Metadata.dllMD5=D615F14F9082D129B42D61C4AE722E01,SHA256=ABCB6CC22DC28F0C11936B11876A09C274E293B90AC78D6D20C7AE56F2EEB46E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.764{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.Workspaces.dll4.100.22.11411Microsoft.CodeAnalysis.WorkspacesMicrosoft.CodeAnalysis.WorkspacesMicrosoft CorporationMicrosoft.CodeAnalysis.Workspaces.dllMD5=DDA30387CE2B0C4C3C984FE0688CD362,SHA256=1D5D85EF6F5A1D21F0A2B6D630DB9809E4F312048E6D0392D73BFEF5FCF7CBE0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 10341000x8000000000000000347513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.748{6820D070-4AD1-6323-0C00-000000007502}828964C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.726{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.dll6.2.0.0dnSpy.Contracts.DebuggerdnSpy.Contracts.DebuggerdnSpy.Contracts.DebuggerdnSpy.Contracts.Debugger.dllMD5=A3B0A7DB78809411199BD15E8B0CD436,SHA256=52DEBF660F28982C3EFC8735D3CFD1C8DD9755631D1429C902D2DBCCC38C1AFC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.726{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Debugger.DotNet.dll6.2.0.0dnSpy.Contracts.Debugger.DotNetdnSpy.Contracts.Debugger.DotNetdnSpy.Contracts.Debugger.DotNetdnSpy.Contracts.Debugger.DotNet.dllMD5=CAD3FCEBE5BF8CC5B2331594D2D98B92,SHA256=EF0CF304AC7A269955E96B77C0AFFFDCE2C40779657726C047628AB17A4D16F6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.726{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Language.Intellisense.dll15.3.1711.0902Microsoft.VisualStudio.Language.IntellisenseMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Language.Intellisense.dllMD5=0B8EE9C16452E25BA8213164A8C0DF19,SHA256=EE591319B81309F70617C0A444D8B7BC014BD8C86B3A35034748149B8D129554,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.726{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.Aero.dll6.0.21.52301PresentationFramework.AeroPresentationFramework.AeroMicrosoft CorporationPresentationFramework.Aero.dllMD5=3B96A446158FD2F2DDF061569C0A864C,SHA256=E7BF8D3F25FEEBA7F40B1F7E9D9FCF628D7A5E28E3E9A83828FF082ED237EBD5,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.726{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.dll4.100.22.11411Microsoft.CodeAnalysisMicrosoft.CodeAnalysisMicrosoft CorporationMicrosoft.CodeAnalysis.dllMD5=91945552F973F723A8394EFF78C5EC81,SHA256=DE51F515D2D8D7515DB4C60F1F40FAE351FAF14A4EEEA68635F19F9EF11EFC92,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.695{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.Composition.dll4.6.26515.06System.ComponentModel.CompositionMicrosoft® .NET FrameworkMicrosoft CorporationSystem.ComponentModel.Composition.dllMD5=868AD071108F7B0ADCEEC2E9FFCD0FE0,SHA256=AB23A9EE4AD84643847865D6E975C6746BD913270DD63E7CA9125E4DC255645F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.695{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=AC951CC1306C73767A05F04BFC916CD8,SHA256=5FE28B70168433EF1C6DDE3CB1BE43A1A614508C37BC9C32F2051E5BA341C6C3,IMPHASH=EF37C47ACC74D5DC3737EEE137193A8DtrueMicrosoft WindowsValid 734700x8000000000000000347505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.679{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.Data.dll15.3.1711.0902Microsoft.VisualStudio.Text.DataMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Text.Data.dllMD5=EEFA9B065F29C2794AC489244DAFA7B3,SHA256=5AC8022AB982A5C36D64FB30B8115E2E43FACA91768C36AB8BA8B7E93E3DBDE6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.679{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll6.0.21.52210System.Diagnostics.ProcessMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Process.dllMD5=FF8ED269DA24C8909E4DC53608907DB8,SHA256=001732FFE73963060E449AE0488735C3B7D6403F19ED8A5A4CFE3B38162E1D4E,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.679{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.Tasks.Dataflow.dll6.0.21.52210System.Threading.Tasks.DataflowMicrosoft® .NETMicrosoft CorporationSystem.Threading.Tasks.Dataflow.dllMD5=5FC735EC74E9CC837E59A4B4F190931E,SHA256=D56D0ACE28636F578A33D052B4EB4BF99776309AFC8BF9EE3FB083F67F49C313,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.664{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Serialization.Formatters.dll6.0.21.52210System.Runtime.Serialization.FormattersMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Serialization.Formatters.dllMD5=763E74F3EC45A557B4A7153AF052C8C0,SHA256=4AF14082BB3910CB5438A1FDCC217E4B95FC21EDB586293D88B66EB10B358A86,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.648{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Resources.ResourceManager.dll6.0.21.52210System.Resources.ResourceManagerMicrosoft® .NETMicrosoft CorporationSystem.Resources.ResourceManager.dllMD5=8FF31FA4E34E2E903976BF58A0AD23E7,SHA256=49E7D1C0AD3A52EF869E44FCD782E5843B4079128E0301BA69A48B3A3CCB1787,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.648{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.Tasks.dll6.0.21.52210System.Threading.TasksMicrosoft® .NETMicrosoft CorporationSystem.Threading.Tasks.dllMD5=15089A2485168458FF713F1629F3683F,SHA256=1B54B6551B2DF3469DDA05CD17F43E1F457981EE1F5D89ECE01403441A54738A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.648{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.TreeView.dll4.2.0.8752ICSharpCode.TreeViewSharpDevelopic#codeICSharpCode.TreeView.dllMD5=64ABAA87419FD9D5F4390BFBE0822FE7,SHA256=74B9B8395E999C1024785BA88521248CD39622107FDA6545CEC167A89F41B9A6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.648{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.Immutable.dll6.0.21.52210System.Collections.ImmutableMicrosoft® .NETMicrosoft CorporationSystem.Collections.Immutable.dllMD5=4EB72CD3197832DB3D1DF4F4DC5D57DA,SHA256=581208392C096999DBF244C13C32D83E91476EC51B53D3FAC0EF48060AFFA0B4,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.648{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Scripting.Roslyn.x.dll6.2.0.0dnSpy.Scripting.Roslyn.xdnSpy.Scripting.Roslyn.xdnSpy.Scripting.Roslyn.xdnSpy.Scripting.Roslyn.x.dllMD5=8D9021BA2A12CAAB3A1F56EC70998742,SHA256=5E5B176CD1016185B63BD580E243CE3568A43EC160106A93A5CE8FB85F1691C8,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.648{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.x.dll6.2.0.0dnSpy.Decompiler.ILSpy.xdnSpy.Decompiler.ILSpy.xdnSpy.Decompiler.ILSpy.xdnSpy.Decompiler.ILSpy.x.dllMD5=C20D0E8B630FEC6C1FC9530F42BB35A6,SHA256=7C31E252536EC4FACD0BE83B308D4C82BC696A3B47175CE768F76EF0E66193DB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.648{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.x.dll6.2.0.0dnSpy.Debugger.xdnSpy.Debugger.xdnSpy.Debugger.xdnSpy.Debugger.x.dllMD5=EF64004832FB8B6529F2A2A7A5FD46B1,SHA256=7EDBA94D7486F2A3D0D02C1FC6BAE4D2BD192B8402FDD134E18CA4D3396ED4CB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 23542300x8000000000000000347494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.641{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=350EF2B01EE2A5FEF9B9A8803F7763AE,SHA256=33F84EDA0F590572ADCDA961BF23AE0C3F3DAA90EC8F7AA95A2983F00E22CF46,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.626{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.x.dll6.2.0.0dnSpy.Debugger.DotNet.xdnSpy.Debugger.DotNet.xdnSpy.Debugger.DotNet.xdnSpy.Debugger.DotNet.x.dllMD5=ED2878B9D2F786DE405EC9CC4A4DB6FB,SHA256=9C7BE7BDEB9BE182539A1721BB28352702474259D829E3373AB951F5BF4DB33B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.626{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.Mono.x.dll6.2.0.0dnSpy.Debugger.DotNet.Mono.xdnSpy.Debugger.DotNet.Mono.xdnSpy.Debugger.DotNet.Mono.xdnSpy.Debugger.DotNet.Mono.x.dllMD5=EBED5C954CCE85A54E5B199AFC0FB271,SHA256=2A0A73927E19CEC582AA5AF7CC932EC1AEDFC64047A073ECD8A6CCC2AEDCAC8A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.626{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Debugger.DotNet.CorDebug.x.dll6.2.0.0dnSpy.Debugger.DotNet.CorDebug.xdnSpy.Debugger.DotNet.CorDebug.xdnSpy.Debugger.DotNet.CorDebug.xdnSpy.Debugger.DotNet.CorDebug.x.dllMD5=B55C01674DFEFC19ABAB5B85AB9A4380,SHA256=85A2AB0C80DBC4082D6D0F7700C1CDBBCF7217313C1ED4A2BC641C7FB443F94B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.626{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Net.WebHeaderCollection.dll6.0.21.52210System.Net.WebHeaderCollectionMicrosoft® .NETMicrosoft CorporationSystem.Net.WebHeaderCollection.dllMD5=C785181850F0D84351236C3D7DE3A28F,SHA256=20B374286120DA35EA3B2913DB826897292FC7C142477B979A7A6A7BE19E4C40,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.626{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.BamlDecompiler.x.dll6.2.0.0dnSpy.BamlDecompiler.xdnSpy.BamlDecompiler.xdnSpy.BamlDecompiler.xdnSpy.BamlDecompiler.x.dllMD5=EC48266ECB5E53436976F4933BE8BD4C,SHA256=484E672C53E7FE673E62B6E946991D51ED8931C2DEF66B5E8B96B9B634D18C9F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.624{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Net.Primitives.dll6.0.21.52210System.Net.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Net.Primitives.dllMD5=2385DBB0768187620F05938F948FE85B,SHA256=E4D471D3286B1A45637CC3B460D87B4C602CFB0BDAFA59E96C290187B134DB8A,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.619{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Net.Requests.dll6.0.21.52210System.Net.RequestsMicrosoft® .NETMicrosoft CorporationSystem.Net.Requests.dllMD5=8420307E73415E506DBF06BE0B97A3E7,SHA256=9121E89E437F1DC7C6A2AD241463DCD65E1C33AC836ECE62E554822C325CFD9C,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.616{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.AsmEditor.x.dll6.2.0.0dnSpy.AsmEditor.xdnSpy.AsmEditor.xdnSpy.AsmEditor.xdnSpy.AsmEditor.x.dllMD5=21555769A9489E1DF0349DC9FF02AAAE,SHA256=88978BED6CC52DAC7EDF3952F99DA28D110E40C549E1CF1A88E8E434A3DD1EB7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.595{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ObjectModel.dll6.0.21.52210System.ObjectModelMicrosoft® .NETMicrosoft CorporationSystem.ObjectModel.dllMD5=24D02E16C185592A3B91C2B44939B100,SHA256=546E77685BA444834ADF82F8FFE2B2D71D2C43E272314C34BA150B9148D65FD1,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.595{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.Concurrent.dll6.0.21.52210System.Collections.ConcurrentMicrosoft® .NETMicrosoft CorporationSystem.Collections.Concurrent.dllMD5=B7D52C2138212B850DD4E232DC36A46A,SHA256=3B5B7C7A98211057CA8D97460C4054844117D2EA9479FDFAED502953C36FAF32,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.579{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Analyzer.x.dll6.2.0.0dnSpy.Analyzer.xdnSpy.Analyzer.xdnSpy.Analyzer.xdnSpy.Analyzer.x.dllMD5=37E40820E363C2943F8F38DB49C86D1D,SHA256=E2C12165432FD088F5159FB588457925CB5F25DA0C9B07D2F6537978AAEAB86D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.579{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.dll6.0.21.52210System.ComponentModelMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.dllMD5=59842A083518AD506AB179ADE2AE71CD,SHA256=1BD117D7C9E2AD6285BB704BF363DF4AC72B55F747BBF56E9D042098C35E9EEF,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.579{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Windows.Extensions.dll6.0.21.52210System.Windows.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Windows.Extensions.dllMD5=9078F26D1DAAFBD73E2EB44B94E811DD,SHA256=9638C1FD08FBD30FAE46F089C922670B6C40E456D48974945171FE512A85FEA9,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.579{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Private.Xml.Linq.dll6.0.21.52210System.Private.Xml.LinqMicrosoft® .NETMicrosoft CorporationSystem.Private.Xml.Linq.dllMD5=55A9A8898433FDF40A04F03309802075,SHA256=B3A7169165885E8B902C6048F04909C9A2694887538BF60918CDFFB84F8617A3,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.579{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Xml.XDocument.dll6.0.21.52210System.Xml.XDocumentMicrosoft® .NETMicrosoft CorporationSystem.Xml.XDocument.dllMD5=9189E11DCB10DC7C15DC9F28FCB97500,SHA256=BE8A5A9BB08CFFADB118D9D2BF851D4EBBD798AF3436194122695B06B7BD0086,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.579{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.TypeConverter.dll6.0.21.52210System.ComponentModel.TypeConverterMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.TypeConverter.dllMD5=1E0E4E82096C2FA5E959ECC931B55BEA,SHA256=89995600F48571DC7206A2125D9F179476B4DF6C47C50F73382DB1179FF945A5,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.563{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.EditorFeatures.dll1.0.0.0dnSpy.Roslyn.VisualBasic.EditorFeaturesdnSpy.Roslyn.VisualBasic.EditorFeaturesdnSpy.Roslyn.VisualBasic.EditorFeaturesdnSpy.Roslyn.VisualBasic.EditorFeatures.dllMD5=BD737F79DF7D748BA12A961E96F0ED36,SHA256=7BCA32B7500A7870E61BFAB75D90EAA6D23ED981E0A3DD988BE3156AA0C19732,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.563{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.EditorFeatures.dll1.0.0.0dnSpy.Roslyn.CSharp.EditorFeaturesdnSpy.Roslyn.CSharp.EditorFeaturesdnSpy.Roslyn.CSharp.EditorFeaturesdnSpy.Roslyn.CSharp.EditorFeatures.dllMD5=9F9972EDBC7C43F1E1C9474AC3653A0C,SHA256=40067F138670D976676535D5F0D0D57084CC3D1D21CC243BEE0146A894EB74FE,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.563{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.EditorFeatures.dll1.0.0.0dnSpy.Roslyn.EditorFeaturesdnSpy.Roslyn.EditorFeaturesdnSpy.Roslyn.EditorFeaturesdnSpy.Roslyn.EditorFeatures.dllMD5=6C6A2076DA06F4B92E270E5C3F1954ED,SHA256=281564B0813143210B432751BCB3278D729EC8A9B08385F24488C0B7A790BBBD,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.563{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.TraceSource.dll6.0.21.52210System.Diagnostics.TraceSourceMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.TraceSource.dllMD5=23963EBDEE54DFEC8D0A4249B0D6F6C6,SHA256=905D61618F4923DAF84424A0A884E9C0B46561DA4BE92B6EEEF7D58807A6C408,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.563{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.UI.Wpf.dll15.3.1711.0902Microsoft.VisualStudio.Text.UI.WpfMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Text.UI.Wpf.dllMD5=73EB6BCE506CB1EEA24B7EAC9016961D,SHA256=AFBB75D4627E03BBC623D431DC60A0369C5F1951DB9F5F204348923FEEFF2420,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.563{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.CoreUtility.dll15.3.1711.0902Microsoft.VisualStudio.CoreUtilityMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.CoreUtility.dllMD5=2D07B735A69CA36E3F0F38C6387B8E28,SHA256=B89BE2024F64A5EAD3BA16985C42D69C13E58F58745206B9A17B594978754713,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.563{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.UI.dll15.3.1711.0902Microsoft.VisualStudio.Text.UIMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Text.UI.dllMD5=EB52DE9017440E056D47952ABEBE4EF6,SHA256=BB6332D6C685F9AA6F2CA7E2FAB34671CE3138681A978615C85AAB6F8B79DF13,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.563{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\mscorlib.dll6.0.21.52210mscorlibMicrosoft® .NETMicrosoft Corporationmscorlib.dllMD5=43944704C060BEB13A6A59D2AE0A4DB3,SHA256=1FAD257F5FAB87C483C16512280658643C0D2B8947D2A7BBA8B1129BB11072E0,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.563{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Text.Logic.dll15.3.1711.0902Microsoft.VisualStudio.Text.LogicMicrosoft® Visual Studio®Microsoft CorporationMicrosoft.VisualStudio.Text.Logic.dllMD5=02226BF39CB9BA85E52E77F9789C8F07,SHA256=62905B7867D9487B5F1DB82825904D0DFC04ACE5966BEABBFCEE193CCF1C3D8B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.548{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.dll6.2.0.0dnSpy.RoslyndnSpy.RoslyndnSpy.RoslyndnSpy.Roslyn.dllMD5=E894FA6CEC92DBBD21D60204EF30010B,SHA256=564AB579CE81877E0A77785009A91390B7B28B4C28872B93131EB79315D5A62F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.548{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.ThreadPool.dll6.0.21.52210System.Threading.ThreadPoolMicrosoft® .NETMicrosoft CorporationSystem.Threading.ThreadPool.dllMD5=9840BBA2322F313B5ECC3F354154DED0,SHA256=FBE97ED25B7D8E16B6E31C1096DD5C3FBD57C52F8493D2DD203318AB18C99662,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.525{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.Packaging.dll6.0.21.52210System.IO.PackagingMicrosoft® .NETMicrosoft CorporationSystem.IO.Packaging.dllMD5=DA615D912E394CE4EB9AF1A0059A4B67,SHA256=1DB55A41C5EBA6961C42FD117E05327397A38CC7EE6D43140800A520BF907D62,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.525{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Validation.dll15.5.31.7307Microsoft.VisualStudio.ValidationMicrosoft.VisualStudio.ValidationMicrosoftMicrosoft.VisualStudio.Validation.dllMD5=8E43C497B9A18938E8D320198C097CDE,SHA256=5297CDB7C4BED7A211E32372E5DB0CEC38DB389CDD5D47B661B917B0BCB21C19,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.525{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.VisualStudio.Composition.dll16.9.20.46383Microsoft.VisualStudio.CompositionMicrosoft.VisualStudio.CompositionMicrosoftMicrosoft.VisualStudio.Composition.dllMD5=7C2178AB00DCD3293CDC6E802E0630B0,SHA256=C7FC06522F493BB7070EF991FBB9569FD9697EC8676CE8DB00C69351699E5581,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.522{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Loader.dll6.0.21.52210System.Runtime.LoaderMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Loader.dllMD5=C76DF667CD6B5222575F0F44F5FFA040,SHA256=A229C3349D6A93FECEA7C3905A7843F17C2E718CC1C8455FE5344192816EFECB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.521{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Contracts.Logic.dll6.2.0.0dnSpy.Contracts.LogicdnSpy.Contracts.LogicdnSpy.Contracts.LogicdnSpy.Contracts.Logic.dllMD5=0B99E2FBD4EA2F5D197AFF054974BE8C,SHA256=145DFCF17BCA921B615C0C9B36CD840122281C02C74645A373E012EE264F465B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.494{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85,IMPHASH=60EA58ED63BD25EC1709F72F112B0086trueMicrosoft WindowsValid 734700x8000000000000000347460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.494{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Linq.dll6.0.21.52210System.LinqMicrosoft® .NETMicrosoft CorporationSystem.Linq.dllMD5=7FB3F6E2FEE95DD6F13BACC74C169518,SHA256=AA688315AA69207C3414778BE7E7784FD454092D88BDA688CBEE708E5D4918BC,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.478{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.Registry.dll6.0.21.52210Microsoft.Win32.RegistryMicrosoft® .NETMicrosoft CorporationMicrosoft.Win32.Registry.dllMD5=DB21B670334DC68D3482D7831897AD97,SHA256=D11BE3A16FF786D384392BA1091AF8927F02BBE63940EDF90989CA6D1A407925,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.463{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Text.Encoding.Extensions.dll6.0.21.52210System.Text.Encoding.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Text.Encoding.Extensions.dllMD5=E4F081F8B18FA697608385114D1C57F9,SHA256=973E762AD8FE034921FE58FCAC859E6CCEB0BB397B1F52709D6CAF11D891A5AA,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.463{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Memory.dll6.0.21.52210System.MemoryMicrosoft® .NETMicrosoft CorporationSystem.Memory.dllMD5=27D7183C28B8EC6B573FCA98E58B40D6,SHA256=AC5E2A48378826E15861C58B098B0C0C02F071EE5781FACF26209B75B264D6B0,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.463{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.EventBasedAsync.dll6.0.21.52210System.ComponentModel.EventBasedAsyncMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.EventBasedAsync.dllMD5=9CC765DD1BD3BF0596778CBE1F8DEDD1,SHA256=36E2AFCE3DCE32F17177C3A1251EE168454967C50CA493CFCB685FB7D07FE4B8,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.463{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Net.WebClient.dll6.0.21.52210System.Net.WebClientMicrosoft® .NETMicrosoft CorporationSystem.Net.WebClient.dllMD5=5300F9FDCD5FE441970963EBC85567EC,SHA256=F8A1B90F32792242AFE8EE2377BC3B89A52EDBC94F5A67B7482609DF284E0E58,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.463{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Xml.ReaderWriter.dll6.0.21.52210System.Xml.ReaderWriterMicrosoft® .NETMicrosoft CorporationSystem.Xml.ReaderWriter.dllMD5=48C48D9A5FC64B5688A44CBA2412F918,SHA256=C9A047960D0AB3FC41A20DEB7AE1AD666132D6A553F06F6E8AE2CCEE308A0196,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.463{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6D,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 734700x8000000000000000347452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.447{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Private.Xml.dll6.0.21.52210System.Private.XmlMicrosoft® .NETMicrosoft CorporationSystem.Private.Xml.dllMD5=F6B0A78FF996B24E2256E69555BE0B3A,SHA256=5C980BCE1F226C3A8BDFAC62AC89579C11261C67833B9BF36D5294B8EA19134E,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.345{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Private.Uri.dll6.0.21.52210System.Private.UriMicrosoft® .NETMicrosoft CorporationSystem.Private.Uri.dllMD5=25253137421362E716393516A93AE580,SHA256=3144A8D867A9D6C8C7D55F7F3D349749ED6A4718B2AF1140FD34E025A37EED21,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.339{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.InteropServices.RuntimeInformation.dll6.0.21.52210System.Runtime.InteropServices.RuntimeInformationMicrosoft® .NETMicrosoft CorporationSystem.Runtime.InteropServices.RuntimeInformation.dllMD5=EEF90066DCC508F3C522B0256E0A9331,SHA256=0B4200F3BD5B43BAC52B67E6FF0551719F8A872130A40B73147AF53D235C45EB,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.323{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationNative_cor3.dll6,0,21,48001 @Commit: bf6f24c075ff5315d0ec0e5359138ee796b0491cPresentationNativeMicrosoft® .NET Framework-PresentationNativeMD5=20F783E735E2E6FF39D6AC12BD9CA154,SHA256=5E621C3D9EEEA75FCBB6C67FD13E2EB8458E6B1CE1074A5EBC7757677A517F5A,IMPHASH=4A000984DE0F3CF8BAC6CA36DF0ECBD4true.NETValid 734700x8000000000000000347448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.318{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.Specialized.dll6.0.21.52210System.Collections.SpecializedMicrosoft® .NETMicrosoft CorporationSystem.Collections.Specialized.dllMD5=1854CDF013502FCCB49D0B3F38AAB283,SHA256=3468C8668B6C841BC171EB7A0C86DA8A7C89864A872B09D78671487393FA27B9,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.313{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Configuration.ConfigurationManager.dll6.0.21.52210System.Configuration.ConfigurationManagerMicrosoft® .NETMicrosoft CorporationSystem.Configuration.ConfigurationManager.dllMD5=A67D63BCF77D9C44BAB958ABD1A18473,SHA256=77019CC0047EDEBCDEC7D56A37ADB24627778752705F57022857636E1DE13960,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.290{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.Thread.dll6.0.21.52210System.Threading.ThreadMicrosoft® .NETMicrosoft CorporationSystem.Threading.Thread.dllMD5=836DD9968E19E8F76D08B95FE6B8D0B9,SHA256=79D7781DF83DC99D832DA5FF21203A6E1B4B20350E00A9B072A8D1FCD458F7DC,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.290{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.ComponentModel.Primitives.dll6.0.21.52210System.ComponentModel.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.ComponentModel.Primitives.dllMD5=C07991C8EB3B098CA704B90C0D3243C1,SHA256=83D450B9AC66E23978314CADA04E3B59D040403EB32E3046420F66B406D44EE4,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.290{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.dll6.0.21.52210System.CollectionsMicrosoft® .NETMicrosoft CorporationSystem.Collections.dllMD5=2BFBB37DAE7C0B7B8A4F67A23E527B9B,SHA256=FD5BFB02BA216AB7F404BF0F0F4F8B9268538641F26C4B2BECB71BC053626EFC,IMPHASH=00000000000000000000000000000000true.NETValid 23542300x8000000000000000347443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.290{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21584FB31D6E4B9296D8ABF8952E9E20,SHA256=FBC5DB3EEDC950CB2750C84424B115DA1418F81D789ABF91603582FA48D3E3CA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.290{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\UIAutomationTypes.dll6.0.21.52301UIAutomationTypesUIAutomationTypesMicrosoft CorporationUIAutomationTypes.dllMD5=C09571FD711E08331AA3FE4D12FD41C3,SHA256=546E9C600A3DAEB536CB430A523B03C27D4E24CB4D3D10D86831363C494B615A,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.275{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Xaml.dll6.0.21.52301System.XamlSystem.XamlMicrosoft CorporationSystem.Xaml.dllMD5=3659250C6181F537E3D286B78BBFB764,SHA256=7668E12AAE5B47BAA62F396B33B106ECD35F7D2A77AA264AC88C66696E990CBD,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.259{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.dll6.0.21.52301PresentationFrameworkPresentationFrameworkMicrosoft CorporationPresentationFramework.dllMD5=7A02A4EFAA1916DD6F6F0B9EC829ECEF,SHA256=2C78924D2005AFC81AA01FAF0D3606BA0AD27B9CAAB21C86742948C93880AEC1,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.121{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Collections.NonGeneric.dll6.0.21.52210System.Collections.NonGenericMicrosoft® .NETMicrosoft CorporationSystem.Collections.NonGeneric.dllMD5=D5F39EB8998748FE4240FDDB4A4ED075,SHA256=488CD734D2731BD94131D6B334B57548051CE95F81C1E560E1D64761D02CA8BB,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.121{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\DWrite.dll10.0.14393.4704 (rs1_release.211004-1917)Microsoft DirectX Typography ServicesMicrosoft® Windows® Operating SystemMicrosoft CorporationDWriteMD5=40E6DDAF1D9B1EE5982EE386E7CF2CCD,SHA256=9640D39690AF9B66334565B41BD6C71350B49E6C99FBDF0107316A31830CC3B8,IMPHASH=A304C1ECFEFBD3A520A9945E2188D759trueMicrosoft WindowsValid 734700x8000000000000000347437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.117{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.Win32.Primitives.dll6.0.21.52210Microsoft.Win32.PrimitivesMicrosoft® .NETMicrosoft CorporationMicrosoft.Win32.Primitives.dllMD5=39943DFE6BB6C26051F6E4F6D058E865,SHA256=592F60777AEB358863EA732852F6C1D5F5852E686C6CB01F24E7C5C21F75BAEB,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.114{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.dll6.0.21.52210System.ThreadingMicrosoft® .NETMicrosoft CorporationSystem.Threading.dllMD5=3B6EE7360075D0DA62155681EDBD07DF,SHA256=04871B7FAA29EB95C36F7A70610CBCC9E9AA6A99120D4C17FBD16107C2B7ECAC,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.112{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.Debug.dll6.0.21.52210System.Diagnostics.DebugMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.Debug.dllMD5=7EFA152A06CB91E1723E4D6AC0357B41,SHA256=FA6FA137CB312A00346D96ED50BDD463FCD0A258989039D483977D51291C939A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.110{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.CompilerServices.VisualC.dll6.0.21.52210System.Runtime.CompilerServices.VisualCMicrosoft® .NETMicrosoft CorporationSystem.Runtime.CompilerServices.VisualC.dllMD5=482D945DA223937EB9E12EC6A5D4698A,SHA256=53C4233385A613EF20014C46A91480553BCE7886FE0E7E85B9B056876C4E694C,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.090{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.InteropServices.dll6.0.21.52210System.Runtime.InteropServicesMicrosoft® .NETMicrosoft CorporationSystem.Runtime.InteropServices.dllMD5=9F3143CED52097B0A2957A8BE7145A3C,SHA256=A76486D3A29BD3D701DA262AF0EFAB75696F5370E38E9259A051FCE2D51B6B6B,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.090{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Extensions.dll6.0.21.52210System.Runtime.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Extensions.dllMD5=040B9847AF56ECD80DE4FED9303727F3,SHA256=D8C2A863239F9042F1E65F3C3563E8B3A9509A33345E3A800328DB84885DA52E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.090{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\DirectWriteForwarder.dll6,0,21,52301 @Commit: 3f75a67c752a116de292affae29a22bbb5b71b18DirectWriteForwarderMicrosoft® .NET Framework-DirectWriteForwarderMD5=3683B801DB70E9D96064D724A462FB80,SHA256=A14ECB1D297220D44C611C1CC8C75E3AC856CE4BEE98FF0366B09C713F557E80,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.090{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\WindowsBase.dll6.0.21.52301WindowsBaseWindowsBaseMicrosoft CorporationWindowsBase.dllMD5=2A168C5013C095473BF9775000A45CB6,SHA256=E583D38EE46F51C48FFE0E6A89B9F46EC194A7271886D4CCEB815D0C28F8FAE1,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.059{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationCore.dll6.0.21.52301PresentationCorePresentationCoreMicrosoft CorporationPresentationCore.dllMD5=C8AC6700FE19D988956A0C16B0ECB1FE,SHA256=A599CEF5F3F0D9C7826E82494D83043B2419BBF96A1BD1E93E70890FEE0F16A4,IMPHASH=00000000000000000000000000000000true.NETValid 23542300x8000000000000000190273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.967{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38331B40EA6685A39E00C22862FE26A6,SHA256=22DD95D770883E9C28D717EF08559083BBF9FD8FB557A740D2524039F7F5EBE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.949{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719105CC4058304301A3EFFB439B74CE,SHA256=F7872FBC1E02E0740E3A37D75D6CF2BB8B04E78E12AD33C09E495895E2464E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.945{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C414353DB24A5386F3E3B6C53B1B73,SHA256=72166C517E8D5AB67B94FADC0587E85790E5468BD5F9622B379CD4A8B6AD7003,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.919{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.919{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.919{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.918{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.918{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.918{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.769{6820D070-4B7E-6323-9200-000000007502}45764716C:\Windows\system32\taskhostw.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.768{6820D070-4B7E-6323-9200-000000007502}45764716C:\Windows\system32\taskhostw.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.161{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.144{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.126{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.120{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.113{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.109{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.107{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.105{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.103{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.101{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.092{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.091{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.089{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.089{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.087{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.086{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.082{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.078{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.076{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.073{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.067{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.057{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.046{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.043{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.037{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.013{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.008{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:44.001{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000347621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.766{6820D070-4B7F-6323-9900-000000007502}29725736C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.766{6820D070-4B7F-6323-9900-000000007502}29725736C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.766{6820D070-4B7F-6323-9900-000000007502}29725736C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.765{6820D070-4B7F-6323-9900-000000007502}29725736C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.756{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Emit.Lightweight.dll6.0.21.52210System.Reflection.Emit.LightweightMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Emit.Lightweight.dllMD5=5A2EEBB47CF27319B58DAC5B70CBC99B,SHA256=C455E599426BA8D753CABB05F35171D9B9A7703D977FAC67D4371B3002C3EBED,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.727{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4,IMPHASH=19FF3D7E49F43D90E4842B5753CAF441trueMicrosoft WindowsValid 734700x8000000000000000347615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.727{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4,IMPHASH=19FF3D7E49F43D90E4842B5753CAF441trueMicrosoft WindowsValid 734700x8000000000000000347614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.727{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winmmbase.dll10.0.14393.0 (rs1_release.160715-1616)Base Multimedia Extension API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMMbase.DLLMD5=DCDF6A9E619644E12C74457A8A3C1E1B,SHA256=6D479841917C74DE4D5B07C27BE0BEEAF80E6C12CF01F43D9B2C55714CAF05A4,IMPHASH=19FF3D7E49F43D90E4842B5753CAF441trueMicrosoft WindowsValid 734700x8000000000000000347613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.727{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winmm.dll10.0.14393.0 (rs1_release.160715-1616)MCI API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWINMM.DLLMD5=2CDB8E874F0950EA17A7135427B4F07D,SHA256=099B17422E1DF0235E024FF5128A60571E72AF451E1C59F4D61D3CF32C1539ED,IMPHASH=A2681C42106048F87359D11744AD087BtrueMicrosoft WindowsValid 734700x8000000000000000347612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.627{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Xml.Linq.dll6.0.21.52210System.Xml.LinqMicrosoft® .NETMicrosoft CorporationSystem.Xml.Linq.dllMD5=BB8C7ECB5F4C3BB2C3AC848EAE4763E0,SHA256=9F67E1887297D3A54EB96836E093F8A8FBE4A38E2E27D64B91E609FA00807B1E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 10341000x8000000000000000347611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.581{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.581{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.565{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\twinapi.appcore.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)twinapi.appcoreMicrosoft® Windows® Operating SystemMicrosoft Corporationtwinapi.appcore.dllMD5=807D0265EEB480488FD8F5BD31941489,SHA256=865D0A59E86E52F514BD1A782575CAD36100D7723595E566DD200B538D8B3A9E,IMPHASH=D3851D2627EE20865D40A6CE93CA8A17trueMicrosoft WindowsValid 734700x8000000000000000347608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.527{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 734700x8000000000000000347607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.549{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\dxgi.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)DirectX Graphics InfrastructureMicrosoft® Windows® Operating SystemMicrosoft Corporationdxgi.dllMD5=F44AB7ABA7ED141A36E5C4F81DB43B6E,SHA256=C42607C98E4580B901671FF3E343902C1F05D97A7FE2E85A7920B55D181C1BD3,IMPHASH=4453AC692845F7F4429D6DD3ACF00D0EtrueMicrosoft WindowsValid 734700x8000000000000000347606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.549{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000347605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.549{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000347604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.549{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000347603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.549{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\d3d11.dll10.0.14393.5006 (rs1_release.220301-1704)Direct3D 11 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D11.dllMD5=A6AC7569771A9D2B9DDB8839076D2C15,SHA256=7D8F95AF6D10F2F4086BF2ED3579E031BD991939816EA2CA162AA4BEF0243ECC,IMPHASH=3C84DC322121BEDBDD23AD37D5500FFCtrueMicrosoft WindowsValid 734700x8000000000000000347602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.527{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000347601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.527{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000347600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.527{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\dcomp.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft DirectComposition LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationdcomp.dllMD5=71488B2A3FEEE42631F968B08ED0503B,SHA256=2693217FA5F2A259F10D580B4AB95787ECB30B2DF16EF98631EF9D4B3DC62564,IMPHASH=37239F56D3864617C4EFB2A5F460F097trueMicrosoft WindowsValid 10341000x8000000000000000347599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.527{6820D070-4AD1-6323-1500-000000007502}12201948C:\Windows\system32\svchost.exe{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.527{6820D070-4AD1-6323-1500-000000007502}12201256C:\Windows\system32\svchost.exe{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.524{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000347596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.524{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\DataExchange.dll10.0.14393.4169 (rs1_release.210107-1130)Data exchangeMicrosoft® Windows® Operating SystemMicrosoft CorporationDataExchange.dllMD5=D238A301AE8EFABD029CE5C9B7777BF0,SHA256=FBB2B864831D5F0F71E1D0167B4EDD4FACB62BFD7913C465F4E291B868120163,IMPHASH=D87E30B18F53FE55C5B018AF0882ADC7trueMicrosoft WindowsValid 734700x8000000000000000347595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.521{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000347594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.521{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000347593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.521{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9,IMPHASH=CAC6B3339C5CAA083E24A4484EE86E29trueMicrosoft WindowsValid 734700x8000000000000000347592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.521{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000347591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.520{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000347590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.518{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000347589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.518{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.516{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000347587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000347586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000347585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+163fd|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+268c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000347582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000347581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 734700x8000000000000000347580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000347579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000347578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000347577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000347576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000347573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=74261D485681A12AFF1AD517FD0EF200,SHA256=DEC3B7B1EBF3F7F4940FE63D665E2C50F6447C848C35C64B1BDE446E04358480,IMPHASH=A92DB75F144155161CE7994504E7528FtrueMicrosoft WindowsValid 734700x8000000000000000347572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000347571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000347570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4E48-6323-4501-000000007502}7716C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.496{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=55D5450C85C0A0DE8F2A22F2C0C816AE,SHA256=3CF7B03BEB7C47157C47EACEBFB731096468D1D25FF6784485EFD2FB806C4C5E,IMPHASH=62E80DE569E3D2B9A30E859918635AC7trueMicrosoft WindowsValid 734700x8000000000000000347568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.442{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=53FEB2DF5A3001CEE00158E46CF1F1C2,SHA256=9D4DC493975065C4595DB62DCB0828631D9CF6019C9A82AA0384D65A8E6A62C7,IMPHASH=46FAD5286B22154C348CEBCE1107AFECtrueMicrosoft WindowsValid 734700x8000000000000000347567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.442{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\UIAutomationCore.dll7.2.14393.4169 (rs1_release.210107-1130)Microsoft UI Automation CoreMicrosoft® Windows® Operating SystemMicrosoft CorporationUIAutomationCore.dllMD5=58D7CC486FB757A96482F89A6D2D9088,SHA256=BA035B04C784402F69834914AD787E8DB854A7FB8B244AE6AAF54689DD4AFD09,IMPHASH=E8A9B749DD6516BB6E8D03D2472AFB9CtrueMicrosoft WindowsValid 734700x8000000000000000347566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.380{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 734700x8000000000000000347565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.349{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=7294744A8618ADCFB97F6CC9B06781BF,SHA256=9CBA204AECE064C4E8AA5C1E8D7C17EA054A47B315D8CEEFA1C206395E5E32D7,IMPHASH=5CB0004DB7090241A0C06F1853D02144trueMicrosoft WindowsValid 734700x8000000000000000347564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.349{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\iertutil.dll11.00.14393.5291 (rs1_release.220806-1444)Run time utility for Internet ExplorerInternet ExplorerMicrosoft CorporationIeRtUtil.dllMD5=6732CB1D5A08DD097CC0219B1653854B,SHA256=2F59D5F9D370B886BCA0A6B83CDFE1C1A68134A5D6D84D3BE8034BCBEEC7C442,IMPHASH=B1175218A8304DF3BD6BF43A45EE8073trueMicrosoft WindowsValid 734700x8000000000000000347563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.327{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=ABB61EA7CC462930FB56C2D004A5B06C,SHA256=7C1525EEFF5357013C68BDDAB2F255E40C8D82A43EF05F374B8DE7D8B5247711,IMPHASH=B1A124F5ECF68D9AFF86BEE7BFF328D4trueMicrosoft WindowsValid 734700x8000000000000000347562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.327{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=A612555310B7F2A688FA57C7C10615BC,SHA256=028B8BA6A6CF74776C8E4F7485BB7973DE25242F292F837D78AB9CFCC3E8AC90,IMPHASH=158FC41AF95869DAD152F6AD98D3B1B5trueMicrosoft WindowsValid 734700x8000000000000000347561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.327{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\urlmon.dll11.00.14393.5291 (rs1_release.220806-1444)OLE32 Extensions for Win32Internet ExplorerMicrosoft CorporationUrlMon.dllMD5=92CAA0908C33E38522E606F13C23F6E0,SHA256=3A57A5D451EF57257586715AAC74309DA94383D5F8E1DD6C2D29F5172AD44F3F,IMPHASH=A8C982C1E8CF4134B4F2115A6232000DtrueMicrosoft WindowsValid 734700x8000000000000000347560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.314{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Algorithms.dll6.0.21.52210System.Security.Cryptography.AlgorithmsMicrosoft® .NETMicrosoft CorporationSystem.Security.Cryptography.Algorithms.dllMD5=B81BE22569FAFE42814668520A1D5347,SHA256=63EBBC122624312EBE341010B3FFD7A827E074F17132763C78A47682ECF964AE,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.296{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Security.Cryptography.Primitives.dll6.0.21.52210System.Security.Cryptography.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Security.Cryptography.Primitives.dllMD5=B9FC91A22094CD30B15BFACBC2CBA1F4,SHA256=4665013250B612BC329C085F1CE603DAC70337BDBC6B2D7D1F342AA439DA3E09,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.280{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.Compression.dll6.0.21.52210System.IO.CompressionMicrosoft® .NETMicrosoft CorporationSystem.IO.Compression.dllMD5=F1EE270D02A87F71FBBE0BA4AA4E0A43,SHA256=85D6EB6688F0A5A0EFAB12B3DBB304941473A2058143DA43BF9E24FC0D620A23,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.280{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Windows.Forms.Primitives.dll6.0.21.52301System.Windows.Forms.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Windows.Forms.Primitives.dllMD5=7FCE5CBE0822B4C60EA5F3CA97F01E3E,SHA256=B0A8038E23D5B84197EB9F5663FACF36B1CB9B6A58087472A3567CE55CBCADE2,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.280{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework-SystemXmlLinq.dll6.0.21.52301PresentationFramework-SystemXmlLinqPresentationFramework-SystemXmlLinqMicrosoft CorporationPresentationFramework-SystemXmlLinq.dllMD5=9F7114B908E373FEC0F74B57A019082B,SHA256=0B0FDCC2671B91BE0EC904E23C8B3C4611CD71229ED69A3CF4392ADF242008F8,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.280{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\WindowsFormsIntegration.dll6.0.21.52301WindowsFormsIntegrationWindowsFormsIntegrationMicrosoft CorporationWindowsFormsIntegration.dllMD5=74118947AE1802707FF134D9AF92F338,SHA256=203FC1BA02345D8423A844E6DCB254468F90B41F72C349861BCCF3299A3F9165,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.264{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Windows.Controls.Ribbon.dll6.0.21.52301System.Windows.Controls.RibbonSystem.Windows.Controls.RibbonMicrosoft CorporationSystem.Windows.Controls.Ribbon.dllMD5=FF11BF2735FC5F8F1C3AB5BC2A246E4E,SHA256=B229CC598BC658F35CCC4367DF57D4D40B1BF0499953D4B7D4C014CDAEF1887F,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.249{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework-SystemXml.dll6.0.21.52301PresentationFramework-SystemXmlPresentationFramework-SystemXmlMicrosoft CorporationPresentationFramework-SystemXml.dllMD5=CDD0EBE1A38ED139C1A923C674EDC83C,SHA256=7D315D3E4D06D1B7F766ED74886C34A6C989289F653EB4E4F77C9D20FC95B4FE,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.249{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Security.Claims.dll6.0.21.52210System.Security.ClaimsMicrosoft® .NETMicrosoft CorporationSystem.Security.Claims.dllMD5=104BC8691C57F4EC1E06B2BEFE31706A,SHA256=52C05A3D4CDFD64321EBC9CE02D475FD731C23618D19FCF7073EEFC59C92629E,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.249{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Security.Principal.Windows.dll6.0.21.52210System.Security.Principal.WindowsMicrosoft® .NETMicrosoft CorporationSystem.Security.Principal.Windows.dllMD5=0DEFD6DCF365B2761F476BA134E256A2,SHA256=206E394E39434F9E422CEBDE63CA13DA7D9AB691B0D5EDAD8B09F443C397926E,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.249{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\d3d10warp.dll10.0.14393.2608 (rs1_release.181024-1742)Direct3D 10 RasterizerMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D10Warp.dllMD5=95A1BA1B908C04EE471AAB365D557FC4,SHA256=5EAFA5C8125CE0A4C69238F28E94E9DC96ECB2474CF429A1BA4C56233D32EBFE,IMPHASH=781D96AFC4A43989716F0476826C7E94trueMicrosoft WindowsValid 734700x8000000000000000347549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.226{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Images.dll1.0.0.0dnSpy.ImagesdnSpy.ImagesdnSpy.ImagesdnSpy.Images.dllMD5=ACC4E2952FC26913D94D45E21D19DE55,SHA256=EDAB4416BA61CB1215FAAB5F16A16C14582D2C91945C8530A805CA068151EA8A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.226{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\d3d9.dll10.0.14393.447 (rs1_release_inmarket.161102-0100)Direct3D 9 RuntimeMicrosoft® Windows® Operating SystemMicrosoft CorporationD3D9.dllMD5=17C406D38C3989FF3BDB17D08C1991CE,SHA256=CB991C87BEBCC39F14696409BA99F1B76FE59ABE7F4CE3A3C32660BD40528676,IMPHASH=812DD928B5D288A053A41C64D9CF80E9trueMicrosoft WindowsValid 734700x8000000000000000347547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.203{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Drawing.Common.dll6.0.21.52210System.Drawing.CommonMicrosoft® .NETMicrosoft CorporationSystem.Drawing.Common.dllMD5=3F61C522E02B3665FEDF3F63BC819831,SHA256=93BCF120B10D65BED9F81CEA326780402A51AF0E481B866E216C8BC6F1BC898B,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.188{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\PresentationFramework.Aero2.dll6.0.21.52301PresentationFramework.Aero2PresentationFramework.Aero2Microsoft CorporationPresentationFramework.Aero2.dllMD5=9CC6B8074ED91CB19EAF41CD15C17848,SHA256=5A400B8E41508C30C3BF8BF51A82F1887D419DB450C5D668C0FD5BCE33ABD6F7,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.166{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\UIAutomationProvider.dll6.0.21.52301UIAutomationProviderUIAutomationProviderMicrosoft CorporationUIAutomationProvider.dllMD5=99898CAD47373801D1B0009132D5818A,SHA256=2E9CF404A035A4ABE9016F57916CA80E166DF7396F82F4A4F66E944C3F80D539,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.126{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Text.RegularExpressions.dll6.0.21.52210System.Text.RegularExpressionsMicrosoft® .NETMicrosoft CorporationSystem.Text.RegularExpressions.dllMD5=AB9FFD1FF21B691044015FC7D1B74808,SHA256=1F63A3FE8C74097DD9265F10DEA6DA6C3E8E0E1E74ABBF0F8743CB041F24116F,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.095{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.dll6.0.21.52210SystemMicrosoft® .NETMicrosoft CorporationSystem.dllMD5=7D05EDA810470E90613D8AB61C04DFF4,SHA256=AF8058DCAACF7BCDEBBC8088A75E6BD3F46D7A57D89B8F00418917E6B232201E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.095{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Core.dll6.0.21.52210System.CoreMicrosoft® .NETMicrosoft CorporationSystem.Core.dllMD5=CADB65D73483FD4D10A52E9BC09D0F2C,SHA256=7192696D54A82EA86CB25A2DDDE775A0661C7C69EBBD0030B66CA6E60F1E91BF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 10341000x8000000000000000347541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.095{6820D070-4AD1-6323-1200-000000007502}3961540C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cd4|c:\windows\system32\fntcache.dll+17a6f|c:\windows\system32\fntcache.dll+1a637|c:\windows\system32\fntcache.dll+1aa6c|c:\windows\system32\fntcache.dll+501de|c:\windows\system32\fntcache.dll+4fee2|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.080{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Primitives.dll6.0.21.52210System.Reflection.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Primitives.dllMD5=D0E36BF15D624B2EEDAF841DF183D3A7,SHA256=7E1A3CC1CEF7034B990CB72F2A58155DFD0EF7BE78F0FAF95188E518446DDE47,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.080{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Emit.ILGeneration.dll6.0.21.52210System.Reflection.Emit.ILGenerationMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Emit.ILGeneration.dllMD5=02F4F1EA5966FED3EC7E633A120F66C7,SHA256=64F3DC9CB8A00CD761A6BC4304F89F859E86E453D25C104A30CBEE1EEFB092A3,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.080{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Emit.dll6.0.21.52210System.Reflection.EmitMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Emit.dllMD5=CDCCA39FB513ABBC5267242CFA34A065,SHA256=1C708DDA9A34C24E9D5DEAB3E59EBB38289028D948FA5DF81B8695906E254A47,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.080{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.CSharp.dll5.5.1ICSharpCode.NRefactory.CSharpSharpDevelop/MonoDevelopICSharpCodeICSharpCode.NRefactory.CSharp.dllMD5=CCF01956A470A9197DFBFE38EF1A6623,SHA256=10472BE5C44E61CA9FB4FB443DF2353EB22030711CBE78266A34D76A3E81A21F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.064{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\D3DCompiler_47_cor3.dll10.0.19041.685 (WinBuild.160101.0800)Direct3D HLSL Compiler for RedistributionMicrosoft® Windows® Operating SystemMicrosoft Corporationd3dcompiler_47.dllMD5=CD8A3BE4D5871171FD0B107132D97BE8,SHA256=4A62063A3C7EFCF0FAA3800A93FCD26728EF753D3B83BC919C12CEBFB582F0F0,IMPHASH=131726669BC1E34B495EDB4198D0ACA3trueMicrosoft CorporationValid 734700x8000000000000000347535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.026{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\wpfgfx_cor3.dll6,0,21,52301 @Commit: 3f75a67c752a116de292affae29a22bbb5b71b18wpfgfxMicrosoft® .NET Framework-wpfgfxMD5=19D5F4E19D8657467439D26CE5232DDD,SHA256=8B051A41EF5AABFD72763B821F1D505CA0D346DC1AB172F6DC9ECE7B04F8A48B,IMPHASH=BAFC7F8C0766264F38AC860C76DB0B07true.NETValid 734700x8000000000000000347534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:44.026{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Metadata.dll6.0.21.52210System.Reflection.MetadataMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Metadata.dllMD5=DF8A09B47729B6E54B8748714C4ED452,SHA256=E9A717957C62236DD979750CE648DC8E981311F16B5E3DBC5405426CBC1414AB,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.996{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.ExpressionEvaluator.dll1.0.0.0Microsoft.CodeAnalysis.CSharp.ExpressionEvaluatorMicrosoft.CodeAnalysis.CSharp.ExpressionEvaluatorMicrosoft.CodeAnalysis.CSharp.ExpressionEvaluatorMicrosoft.CodeAnalysis.CSharp.ExpressionEvaluator.dllMD5=C3BE86B4C421F56A3EE092500F64D1F9,SHA256=A338F25B43324110CBA2139CA099930AC85457C858AEEF6928CB97DF489C6E50,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.996{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Mono.Debugger.Soft.dll4.0.0.0Mono.Debugger.Soft.dll--Mono.Debugger.Soft.dllMD5=7F9287B3876F45986DB4DE9CDF590FEB,SHA256=BB19F4ADE7180960C032F13B0A70B33EDED6B4F232CFD51F09BDB38F8F5B1CEF,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.996{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.dll1.0.0.0Microsoft.CodeAnalysis.VisualBasic.ExpressionEvaluatorMicrosoft.CodeAnalysis.VisualBasic.ExpressionEvaluatorMicrosoft.CodeAnalysis.VisualBasic.ExpressionEvaluatorMicrosoft.CodeAnalysis.VisualBasic.ExpressionEvaluator.dllMD5=4E26A0D0497E9B432192AE0BDBFFAB1D,SHA256=4C87EDB4FF74DF1E2475054CA7FF00AA0CB11ED60202F3B8F2B4E9476C0F47B7,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.996{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.dll6.2.0.0dnSpy.DecompilerdnSpy.DecompilerdnSpy.DecompilerdnSpy.Decompiler.dllMD5=E0EB1409207D2B9695C86C72A9A87C1D,SHA256=8CFE306412B4D8DD03B6AA9FCF8A870F11514DD598D89EA09CF1DEA7278FAF76,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.996{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Decompiler.ILSpy.Core.dll6.2.0.0dnSpy.Decompiler.ILSpy.CorednSpy.Decompiler.ILSpy.CorednSpy.Decompiler.ILSpy.CorednSpy.Decompiler.ILSpy.Core.dllMD5=4F0ED164A2E674B9CF19FCAD538DD2A8,SHA256=71EACA8BBC4D887525FE86A770D00D6FB69FBF431E0317D2682FCA7D16BA9816,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.996{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.Internal.dll1.0.0.0dnSpy.Roslyn.InternaldnSpy.Roslyn.InternaldnSpy.Roslyn.InternaldnSpy.Roslyn.Internal.dllMD5=83AAE20C78911A9E76C6C26F79B69928,SHA256=5AB81CAF72FFD2A21C59EB94926AAFBC2FBCEB31EAAFE581F69E42EBE7D1C40F,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:45.952{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.dll4.100.22.11411Microsoft.CodeAnalysis.VisualBasicMicrosoft.CodeAnalysis.VisualBasicMicrosoft CorporationMicrosoft.CodeAnalysis.VisualBasic.dllMD5=9959DB5A9DF4D423964E01E510A3F260,SHA256=CC4ABC7C77E5DF9B010D9EBDC9464B73DAF03129EE70DB68D761B7E0FB092078,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 23542300x8000000000000000347636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:45.721{6820D070-4E46-6323-4401-000000007502}5176ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\Temp\WPF\1uwz35gx.2ooMD5=825AB5E8C725411B8B9C319BDCC8EA4E,SHA256=2E3A2C34CC9728CB3C1915E1C778FD0D63D46AC8E238C90726C96E4A31042357,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000347635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:43.379{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63520-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000347634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:45.563{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\msctfui.dll10.0.14393.953 (rs1_release_inmarket.170303-1614)MSCTFUI Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTFUI.DLLMD5=2E0765561AC0715D03B2EAF4ACE62C5E,SHA256=F938D00A8FF9A1C832D0E50697A613D415A2B11988719E591C696D04027B189B,IMPHASH=46539B781BADC719A076E6CD82C5EF4CtrueMicrosoft WindowsValid 23542300x8000000000000000347633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:45.353{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73621E4180E26E5DB9F25F15FD61D034,SHA256=E2A8F6B1A183E2238EEDDB6A40094713EBAC3742336DCE73D6353B4DA59A48D4,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:45.339{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\ICSharpCode.NRefactory.dll5.5.1ICSharpCode.NRefactorySharpDevelop/MonoDevelopICSharpCodeICSharpCode.NRefactory.dllMD5=59D0530BF5E8C05BEB4B4239DAF57455,SHA256=8E6353712DCCBFEA331D11CCEA8DF43F14E9644E226FE46861328C7C1311441D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 23542300x8000000000000000347657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.365{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACF4A22F19338C4E30B6AC6E69302294,SHA256=7BD5D9539D147FD313115DDF30367BB24B6943B04C7E513FE4F05DFF7106510E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.346{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.Extensions.dll6.0.21.52210System.Reflection.ExtensionsMicrosoft® .NETMicrosoft CorporationSystem.Reflection.Extensions.dllMD5=0C573B6691794FE91E6BBCCBFE56040D,SHA256=23205571BD4B97E6681F1CC9D38A5D5561DA0BA8F50B2ADB3704A2A61A3F3B39,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 23542300x8000000000000000190274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:46.134{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA6285AAF3133CD0864965D9D1A38C8,SHA256=E9A8CD57BB46E5B7193AD540094E4DEBC0E0C2A009C8A442C3EEDA53E54B1258,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.296{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.CompilerServices.Unsafe.dll6.0.21.52210System.Runtime.CompilerServices.UnsafeMicrosoft® .NETMicrosoft CorporationSystem.Runtime.CompilerServices.Unsafe.dllMD5=BD9EF23AFCFC4F36BB524BB0DF83604A,SHA256=50C4304AA0723F8FBD90D1F91A9A75A635ECFB8E6AA905F12F2DFA6F5C8BDA7D,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.294{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Linq.Expressions.dll6.0.21.52210System.Linq.ExpressionsMicrosoft® .NETMicrosoft CorporationSystem.Linq.Expressions.dllMD5=2237CB203E627CB351B9894F6724D7ED,SHA256=A62E686E055A781523AE56B90BCD5B6E6CD8B6540D3E3EDA85657DAAB066424E,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.229{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.DiaSymReader.dll1.400.22.11101Microsoft.DiaSymReaderMicrosoft.DiaSymReaderMicrosoft CorporationMicrosoft.DiaSymReader.dllMD5=8EA512071D38B8237F255F9E6E8789CD,SHA256=AF1454B363F234832B37E3F8E0472E2A7B612E4A74B6D8DAF8D0376AE9E10E6A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueWindows PhoneValid 734700x8000000000000000347652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.225{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Serialization.Primitives.dll6.0.21.52210System.Runtime.Serialization.PrimitivesMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Serialization.Primitives.dllMD5=BBEF0264A01DEE8EDA38BFAE66222934,SHA256=EAD2441E5B5DA178FC5F3665179D59F1CADF9FD2DA4786FD04720F96B5F74A72,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.224{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.MemoryMappedFiles.dll6.0.21.52210System.IO.MemoryMappedFilesMicrosoft® .NETMicrosoft CorporationSystem.IO.MemoryMappedFiles.dllMD5=1B77C94AF33F444190FED152677E332F,SHA256=3827F7C14536E7DF1C8360F426C50359C9F2F3F1C8BBA0B4988F112759776E51,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000347650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.218{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Composition.AttributedModel.dll4.6.24705.01System.Composition.AttributedModelMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Composition.AttributedModel.dllMD5=24A0C8CCE8C132DF82C9B9C1AE834D05,SHA256=04D8EB1419E053FB7502DD952F3977F75B27DEDE5418D5F87D21DE16ADBD8313,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.217{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Composition.Runtime.dll4.6.24705.01System.Composition.RuntimeMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Composition.Runtime.dllMD5=D18C354A78688D6A3CF68A0567AF40E3,SHA256=C419E3D51F9EEFB1F6FC0FB7CCF9B5AC5CC4B75FA75131D4AF0C74252914EB10,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.216{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Composition.Hosting.dll4.6.24705.01System.Composition.HostingMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Composition.Hosting.dllMD5=D84515EE702052020EAAB048C0C221E3,SHA256=7A26E95E0F75E803ADB555ECFD02BCA59A533A4855DB6C861A3DEFB619DCE813,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.215{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Reflection.dll6.0.21.52210System.ReflectionMicrosoft® .NETMicrosoft CorporationSystem.Reflection.dllMD5=3936A133A7D185EB013DBDF7689B16B5,SHA256=BCC19E3FA18AA90D62B21E2AE9A060E6C51727D411354D20BB387D10AB0ABD86,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.214{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Composition.TypedParts.dll4.6.24705.01System.Composition.TypedPartsMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Composition.TypedParts.dllMD5=B91887BFCA35E50CCE9F2D7102C88706,SHA256=2C609BED3BBD2BE810471E31E36B12CB321A50FC2541E8F29C1F59C8CF869C41,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000347645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.212{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.Features.dll4.100.22.11411Microsoft.CodeAnalysis.VisualBasic.FeaturesMicrosoft.CodeAnalysis.VisualBasic.FeaturesMicrosoft CorporationMicrosoft.CodeAnalysis.VisualBasic.Features.dllMD5=C016B1DEEEF496942DD968FBA534DCC2,SHA256=F3B4EA151024366A974ADA3C509976470427921DE5D6CF6AB00BB06D63B77B05,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.201{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.Features.dll4.100.22.11411Microsoft.CodeAnalysis.CSharp.FeaturesMicrosoft.CodeAnalysis.CSharp.FeaturesMicrosoft CorporationMicrosoft.CodeAnalysis.CSharp.Features.dllMD5=180213DE249390D67791C54C9780B3AA,SHA256=B17279D0AE6AF8D16815E811B6F60B2628DC4994271463D0A43CFA5E8BDBC4CB,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.186{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.VisualBasic.Workspaces.dll4.100.22.11411Microsoft.CodeAnalysis.VisualBasic.WorkspacesMicrosoft.CodeAnalysis.VisualBasic.WorkspacesMicrosoft CorporationMicrosoft.CodeAnalysis.VisualBasic.Workspaces.dllMD5=807DD60A75A1330ED9A75ABADA3E6831,SHA256=EE89F918FC88E15F4AC90F4C11E3D52EB3EA76BB0A9771577634A93543550C09,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.179{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.Workspaces.dll4.100.22.11411Microsoft.CodeAnalysis.CSharp.WorkspacesMicrosoft.CodeAnalysis.CSharp.WorkspacesMicrosoft CorporationMicrosoft.CodeAnalysis.CSharp.Workspaces.dllMD5=004885BA5B1D4DBF89F7F829861B98D4,SHA256=0CBC67A98FD8ABB9864DDCAFF6BFB572BA3F6F9EE66FA7AF1C551EF031233D37,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.167{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.VisualBasic.Internal.dll1.0.0.0dnSpy.Roslyn.VisualBasic.InternaldnSpy.Roslyn.VisualBasic.InternaldnSpy.Roslyn.VisualBasic.InternaldnSpy.Roslyn.VisualBasic.Internal.dllMD5=D1C0274FACB33012B897BA2B418E575E,SHA256=C2C2088CD5BE29D6FFFD0BC78C4D87A3ED253B6F7F20A594C4BE62F6306397C6,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 734700x8000000000000000347640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.166{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\dnSpy.Roslyn.CSharp.Internal.dll1.0.0.0dnSpy.Roslyn.CSharp.InternaldnSpy.Roslyn.CSharp.InternaldnSpy.Roslyn.CSharp.InternaldnSpy.Roslyn.CSharp.Internal.dllMD5=D9840B5CCF3122E9C1B3A0C3CB6AC5E8,SHA256=D2DB5E3894D8EC18EA52B867D77BA43F103A84AEBEB8983306913204967A4A63,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAfalse-Unavailable 23542300x8000000000000000347639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.071{6820D070-4E46-6323-4401-000000007502}5176ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup32\net\startup.profileMD5=8C543AD1363A8A240300C9839846B3CD,SHA256=8A00FF0201E04B76002901386557D03C1E7A25B09E3C01EB7C24E0A81CDC1CB2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:46.040{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CodeAnalysis.CSharp.dll4.100.22.11411Microsoft.CodeAnalysis.CSharpMicrosoft.CodeAnalysis.CSharpMicrosoft CorporationMicrosoft.CodeAnalysis.CSharp.dllMD5=68888FFA2D8AF2715DA808AA9545668C,SHA256=E39E962775915C4A74B1B29ED664F352D7EDACD3E8F798F11A482F0057C08820,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:47.886{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.CSharp.dll6.0.21.52210Microsoft.CSharpMicrosoft® .NETMicrosoft CorporationMicrosoft.CSharp.dllMD5=EBCDC3820DFAE1D74B698181A3C09916,SHA256=BFA7165815659626E9D3DB116AE9DFA0A7CA2AABAB30807744024B71DAE61248,IMPHASH=00000000000000000000000000000000true.NETValid 23542300x8000000000000000347665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:47.447{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2118D5B0B4A3FE97F4AC5399E7697FFE,SHA256=E2FBDC0F140985B24D8063A36C412FCB3AE988410665AD1CDC4FECA3A055D803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:47.194{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1016F86170E43B7190D442BF6AB33E85,SHA256=421F5A375ECE72389AD10CCAF212C17575BA2139ED24B2FAF5F783DA9C04AC48,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:47.026{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:47.026{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:47.026{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:47.026{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:47.026{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:47.026{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:47.026{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:48.964{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:48.964{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000347668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:48.495{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F922B6C73633BD30A184A8961774A1,SHA256=83634161870F2E5C656AE5088AA33DDB07D31EC326F5666B536EC8A3043D0327,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:46.326{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49868-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:48.276{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84EBFDCEC4D1B0D263782AEAF1E1CAB0,SHA256=18D987FAD1DF0769AD26A12B14F7DADF7138C3650AB6CB77129822C8DEED5BB9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:48.225{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Runtime.Numerics.dll6.0.21.52210System.Runtime.NumericsMicrosoft® .NETMicrosoft CorporationSystem.Runtime.Numerics.dllMD5=AA0B7C35F5BC58EE9DF358E598396723,SHA256=EC6375D30F957BF0EC86BB3F6ADA7F4A0B5A0B688115B46F4BE6882C48679D54,IMPHASH=00000000000000000000000000000000true.NETValid 23542300x8000000000000000347674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:49.631{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD60B23AA4B125B083438FE2EB050BC8,SHA256=3E2C2B6C412F660607AA41517CE10A4CFB66A1C5C16ED9A1A0CB6A9E18DCC351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:49.349{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB8814EA35AE4C79F02C2ADEA572D8A,SHA256=FDC59597ED0899F65252FEE60244D550EC645C08984D6D21AF90122BA07AEEFB,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:49.087{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Accessibility.dll6.0.21.52301Accessibility-versionMicrosoft® .NETMicrosoft CorporationAccessibility-version.dllMD5=0FF4D556617A1E55863CD6FE17CFAA61,SHA256=484E1F592A490C528369F98E807B918C3159B9432CA53FBD6A8FC4EABE88FC2E,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000347672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:49.087{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\oleacc.dll7.2.14393.5127 (rs1_release_inmarket.220514-1756)Active Accessibility Core ComponentMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEACC.DLLMD5=578E7CDCEEEC1A28163863C5AAFAE703,SHA256=EE6DED451C99D92FDB375232A5DF33C846C11425E4409DBA6063539A1C566403,IMPHASH=91DB2465A9EA36C5C01315C79E4EAD5AtrueMicrosoft WindowsValid 734700x8000000000000000347671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:49.072{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.5246 (rs1_release.220701-1744)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=2A16D108FE99577ABCC08B92F2765971,SHA256=AF5268F39CE35FA3215E8162A0BF4C1949D0F5FB7A284953362ED23507C5697F,IMPHASH=36E120EA05F8714D20693A7DA02D7326trueMicrosoft WindowsValid 23542300x8000000000000000347675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:50.706{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9124C2534F85932D84589F4CE70C2EE0,SHA256=9D6955D67C41402BE303180594FAD5BA2D41C726F261F3AB9BAC88D91134DE4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:50.420{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31EB7ADC541283301C6AE8E4C08796DD,SHA256=251CEF4D8393251BF635CF857869E1FAEBDE4312218DBCA9577DE403E36A7637,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:51.748{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F5C9136B5C4F800E350CB6A21E3D18,SHA256=861EFC1EB0C1497F0F25A2E86821B2D093FDB85F0F27987CA1627326A5DB9DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:51.495{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14957FC10B31DC4ACF7B2D253C1202E5,SHA256=98712D2C54CD12134756310B7DEAF42C124B1758518ECD07484549ED16416E92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000347676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:49.377{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63521-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000347678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:52.781{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C713580158F9D008238EEF119934BE3,SHA256=807479E9C784AA460B6819A6E34F8B46DD7D9E4722C8EE7099D0BF608C8E5097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:52.800{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B3FBA3F0513E4DECB3159A1988BCBED,SHA256=52F998BC37F868B61F8C013628C353885F57C6745C86908A56D464EC2EEEC877,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:53.833{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4556954CF612E44806C0621DB5C87068,SHA256=6076841FD876E90AABEF92C282B7ADE38234B134A18DD2C3BAF500680CBB37E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:53.869{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D61519E1C8C32FBD88BE0853DD0089A,SHA256=033A54C89CF7205C1BF6E0D366CB0E51055AEFAFC7D6A721C91098B55F0621FF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:53.445{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000347679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:53.445{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\virtdisk.dll10.0.14393.2007 (rs1_release.171231-1800)Virtual Disk API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationVIRTDISK.DLLMD5=52F41CC2AAA9548FE4F8CF122EC209EC,SHA256=BEE64EAC456019C6B1C6D04ECBE22CA4D8804BE87E003E2D3952801207BC6EF4,IMPHASH=A3334A2670A60783CE69DE81680830ACtrueMicrosoft WindowsValid 23542300x8000000000000000347682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:54.864{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F544E285AAC493CC42A27BEF12794196,SHA256=493E07CF8E2A468DB441F6CE5833F79211B2B5B8D08E30C8B0BB888BC20785C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:54.960{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AFCFB808AD1B5BACBA9D149F72AA00,SHA256=4FFEBD887394DECC76E7AC7AA4F4E05D53EB3E468A3D01BA9F7C1CCD9F9DF005,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:52.292{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49869-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:56.169{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C92FC97225A0ABFF87274D704EFFFC2,SHA256=7245BE027BD7F450D273C761412A85D924309D323CA26171B382EEE399511A98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000347684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:54.379{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63522-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000347683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:56.033{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5894A172935A531838A2BDBAA26FADD5,SHA256=47AF97CBE85CABA454FE4D671DE7A12BBDF063264600F39618D7872FAB9D1D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:57.377{E743DC12-4AD0-6323-1100-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2C82629018ADEB82AACEC3560CCCB5C9,SHA256=D35C6206969D518236E261FC376C17C00350B64798A2A41002E2125B0186E1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:57.361{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4EF8E8C0B8B472F1829DFCCFDB0CCB,SHA256=1EB71802D6C41CB0441708A97AAE1C9F07E9EF14D67202A5A1EDDFFB0ED34641,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.988{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=45B7D4B252905E75BB74B33FE0A6757C,SHA256=2C99D47C7879BF747A157C4B1F0099E3A3C565E9E677372CEAC6C154DB892E9B,IMPHASH=02A49231FBD4D14396A5A54F65097366trueMicrosoft WindowsValid 734700x8000000000000000347726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.983{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\wshom.ocx5.812.10240.16384Windows Script Host Runtime LibraryMicrosoft ® Windows Script Host Runtime LibraryMicrosoft Corporationwshom.ocxMD5=B7BC15806713896B2EC8BB84A13A3FE0,SHA256=B963B89075098B3D38D40BB0D4164D7E50BEBD4F784ECAB0000D733A2CB14A85,IMPHASH=B6C77CE880E576162C4E4F9C5AF244ADtrueMicrosoft WindowsValid 734700x8000000000000000347725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.992{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 10341000x8000000000000000347724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.991{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.991{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.991{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.990{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.990{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.990{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000347718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.438{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000347717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.421{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000347716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.421{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 23542300x8000000000000000347715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.421{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=92FF7E9E29A7A72A738A1A24FEE7603F,SHA256=F8460E1BD412F9C8E1DD3A9F644ABE820822BA4A4697534DDD4A1482616EE2E7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.421{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000347713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.421{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x8000000000000000347712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.405{6820D070-4AD1-6323-1500-000000007502}12201948C:\Windows\system32\svchost.exe{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.405{6820D070-4AD1-6323-1500-000000007502}12201256C:\Windows\system32\svchost.exe{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.405{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000347709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.405{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000347708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.405{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000347707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.390{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000347706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.374{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000347705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.374{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000347704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.368{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000347703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.368{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.352{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000347701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.352{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000347700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.352{6820D070-4B7F-6323-9900-000000007502}29725892C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 734700x8000000000000000347699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.348{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000347698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.341{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000347697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.340{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000347696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.321{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000347695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.321{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000347694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.305{6820D070-4B7C-6323-8800-000000007502}628648C:\Windows\system32\csrss.exe{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000347693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.305{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000347692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.290{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000347691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.274{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 23542300x8000000000000000347690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.267{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FE42ADEF325ADECD1BD1B9300D27E642,SHA256=C8E95B9C6F490C9E6815D9FC35A786894F891E69BE8272F8F5C05CD2139F9B8D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.252{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000347688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.252{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000347687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.252{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E55-6323-4601-000000007502}6672C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.222{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\IconCodecService.dll10.0.14393.1715 (rs1_release_inmarket.170906-1810)Converts a PNG part of the icon to a legacy bmp iconMicrosoft® Windows® Operating SystemMicrosoft CorporationICONCODESERVICE.DLLMD5=8A6E1F92860CD6DE9781CB6BF0443D4E,SHA256=BE40A714D5E2CAFD5244825F07929D37E7CFE704F3087A03F57C1B8003D1A805,IMPHASH=6D37AEFFA8E4320A96C91B3A3282D007trueMicrosoft WindowsValid 23542300x8000000000000000347685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.068{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E13CB52D63213101EBB189DC35BF8D,SHA256=D7CED4DD9C89697647494984C8E5F62E673FB7B46CA211801902FBC7619BB46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:58.466{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCDB340C0B978B15EDE22DD540525D9A,SHA256=2BB7C574464385CFC7E70D007768A028A3814291CE232AFC516DC592B059F4A4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000190297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:09:58.449{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000190296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:09:58.449{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000e78b6) 13241300x8000000000000000190295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:09:58.449{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c915-0x3846dc95) 13241300x8000000000000000190294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:09:58.449{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c91d-0x9a0b4495) 13241300x8000000000000000190293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:09:58.449{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c925-0xfbcfac95) 13241300x8000000000000000190292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:09:58.449{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000190291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:09:58.449{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000e78b6) 13241300x8000000000000000190290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:09:58.449{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c915-0x3846dc95) 13241300x8000000000000000190289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:09:58.449{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c91d-0x9a0b4495) 13241300x8000000000000000190288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:09:58.449{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c925-0xfbcfac95) 23542300x8000000000000000347741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.793{6820D070-4AD1-6323-1100-000000007502}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=23F2AE7495C98F17CCA69C1034F376FE,SHA256=9E1CFDAFF6B9CAB0099D423727BCF6351A0FEB55D32E8552C22DD4563E4633A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.725{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.725{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.725{6820D070-4B7F-6323-9900-000000007502}29724972C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.725{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.725{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.725{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.725{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000347733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.307{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=885C5AFB38422F4DAD5A827AEF987D0A,SHA256=5F3F27E107BA8D1EEB55ED48395C0B967E76B535AAF0DDC45B430EC14E61373E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.306{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59DAABF93379A18EBEC719602A1C4BFD,SHA256=8F6DBB88F88F7B097096349ED355712DC7E18BD160BF2A514C103DC2AFEBCBB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.151{6820D070-4E46-6323-4401-000000007502}5176ATTACKRANGE\AdministratorC:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\AppData\Local\dnSpy\Startup32\net\startup-roslyn.profileMD5=05B4E1AB3AA5E775CC4C56CE5DF29DA9,SHA256=19758B57ED511386F35900FB10CD70A6D73FB41B89C8EB2E63869DBD6433845E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.023{6820D070-4B7F-6323-9900-000000007502}29725892C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000347729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:58.023{6820D070-4B7F-6323-9900-000000007502}29725892C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 734700x8000000000000000347728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:57.991{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\scrrun.dll5.812.10240.16384Microsoft ® Script RuntimeMicrosoft ® Script RuntimeMicrosoft Corporationscrrun.dllMD5=BDE015F19B4508F5812D6F215AAE23DB,SHA256=BE452B19485B5277BC32F7044496880D9AEF38679C9FFCCF981FFE89AAE93C16,IMPHASH=C0A75BD240FCBDE29B7057900B03ADE8trueMicrosoft WindowsValid 354300x8000000000000000190300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:57.347{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49870-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:59.540{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B763F62D5ABD12A0447BC2D3964122D,SHA256=0279B4E4A55BF2526D5F82B37DC65F9C066439C4C20DE75480F06EA194495747,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.792{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.791{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.786{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 13241300x8000000000000000347773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 16:09:59.772{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000347772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 16:09:59.772{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000e75e7) 13241300x8000000000000000347771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:09:59.772{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c915-0x38e96da1) 13241300x8000000000000000347770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:09:59.772{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c91d-0x9aadd5a1) 13241300x8000000000000000347769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:09:59.772{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c925-0xfc723da1) 13241300x8000000000000000347768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 16:09:59.772{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000347767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 16:09:59.772{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x000e75e7) 13241300x8000000000000000347766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:09:59.772{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c915-0x38e96da1) 13241300x8000000000000000347765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:09:59.772{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c91d-0x9aadd5a1) 13241300x8000000000000000347764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:09:59.772{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c925-0xfc723da1) 10341000x8000000000000000347763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.360{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.353{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.347{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.335{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.328{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.323{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.321{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.319{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.310{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.283{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.273{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.267{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.256{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.246{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.239{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.222{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.210{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000347746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.204{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBF4E139B80F0123CB95F1CC813A66B6,SHA256=A58289FC60AE0CAA2BB9B57F6444A9A270D2F5880CE0FBF7573B8826F2839A6F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.199{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.188{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.147{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:09:59.141{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000190302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:00.617{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F604C544EF3E1B8A5F79EE8CC43EB625,SHA256=8B1084E5149E7CCBC6B4387743A29A1B2528FBA28CE571D515E8C55D25FC7E93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:00.574{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:00.574{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000347780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:00.374{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F2FFA30559EBE7A7A1DAD7E9F385065,SHA256=A234675A3EAFEC76C823A546B74DE02F48C6DBDB35F44FB7B39E1019F6F0CF0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:00.298{6820D070-4B7F-6323-9900-000000007502}29724976C:\Windows\Explorer.EXE{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8013285BCD8)|UNKNOWN(FFFFD9E122A77E08)|UNKNOWN(FFFFD9E122A77F87)|UNKNOWN(FFFFD9E122A72611)|UNKNOWN(FFFFD9E122A73FDA)|UNKNOWN(FFFFD9E122A72296)|UNKNOWN(FFFFF80132571503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000347778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:00.298{6820D070-4B7F-6323-9900-000000007502}29724976C:\Windows\Explorer.EXE{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8013285BCD8)|UNKNOWN(FFFFD9E122A77E08)|UNKNOWN(FFFFD9E122A77F87)|UNKNOWN(FFFFD9E122A72611)|UNKNOWN(FFFFD9E122A73FDA)|UNKNOWN(FFFFD9E122A72296)|UNKNOWN(FFFFF80132571503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000347777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:00.298{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFe77eb.TMPMD5=AE83E3D1BED7E22F099EC37882555B7F,SHA256=19C20C1DAA5B1C1F7E9A0561569A10ABB7DBF1B544D26F74C2B5990D9C688508,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000190301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:10:00.437{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8c91d-0x9b4ffc0d) 354300x8000000000000000190305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:09:59.482{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49871-false169.254.169.254-80http 23542300x8000000000000000190304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:01.698{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD3540FD78F1C9FBD50D3B1697B67A96,SHA256=A35C664E866AC3291C82822A5588EFC223723DF9B718CEFF5F33A5BB3F5E99B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:01.814{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:01.813{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:01.809{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:01.806{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:01.803{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:01.801{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000347783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:01.416{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC15FA28A9EA1E8E96F826811D8E8692,SHA256=DFFFD426F4ED176B588A87515D5E85FC3F4A69FCF2EFE44E72D6B39EE659F550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:01.506{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=E3F0F0CA33C32E0FD364A9061A222FC1,SHA256=EA6B121359D08B75279AA36DD5D0B09910C9262D11891EB7525EAC434EF3325B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:02.791{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D2150ACEBA035D5032C0708AE4071A,SHA256=E7AC05105CEC403553EB32361061CA7B5349E4125469722D136537F79D8D85E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000347819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:00.413{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63523-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000347818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.714{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.705{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.697{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.692{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.689{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.685{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.671{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.660{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.644{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.634{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.623{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.573{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000347806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.501{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684B96F1E49DC2232AB489139154AB13,SHA256=DE8CB521FECDE93132BAFC828652B1F6DB4D69C0F6B2BAAC94598E0FFA8C4278,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.500{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.488{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.469{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.402{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.389{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.371{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.362{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.355{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.352{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.342{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.336{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.333{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.324{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.322{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.320{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000347790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:02.319{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000190314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:03.987{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:03.979{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:03.962{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:03.951{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:03.939{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:03.930{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:03.928{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000190307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:03.889{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7BFD71F1BFA7A347C0EA2C024CAA773,SHA256=3BE713B2F2C9C1AF8F53E15AEBFC2A0355B2E49055040C417EC3D95CB4505FD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:03.508{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DCA027AFF932EFE91284CBCF5BA105,SHA256=35154993ABE0741BBAF5F1122A2B3E1A2DCE4D16C4C6BDB389448F31308AFFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:04.561{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE731AD0D37B15DCE876EDD6C42137F3,SHA256=5A67A85734BE133D754A8698E9F5B0C1F9D4FCB55FFC421292244C7573FE1059,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:02.365{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49872-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000190343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.200{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.190{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.171{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.167{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.161{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.156{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.155{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.153{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.151{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.148{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.145{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.144{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.142{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.140{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.139{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.137{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.134{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.131{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.128{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.126{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.120{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.114{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.104{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.101{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.093{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.053{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.047{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.041{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:04.024{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000347822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:04.190{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:04.190{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000347824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:05.593{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8DD14C3DD1DB277D66C0509F5DE650,SHA256=04A779FC04684FB1877DCB6F5BE39A0C25A2FC0D6811B6D901C439D99F1166AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:05.081{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377C5303870A1C63308897E489FE1874,SHA256=4C49576D21FD732C8A62132A8C9D6CCF593D8F6BAC254F051A9CFA18C831946B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:06.667{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=198EC0C3001685BA1096BDEB364E987F,SHA256=C9854310881FF7929E2062372C2E38598C82D434563E31FACA3FF855AC03A51E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:06.285{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1D00-000000007602}1944C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:06.152{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF44986FEB876489F94A5DB33BD47E9,SHA256=50C190E7B60930869846308F77C4D8612DC0646D9ECBE06D3A6E5CC4DF420D7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:07.616{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E5F-6323-F300-000000007602}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:07.616{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:07.616{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:07.616{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:07.616{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:07.616{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4E5F-6323-F300-000000007602}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:07.616{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E5F-6323-F300-000000007602}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:07.617{E743DC12-4E5F-6323-F300-000000007602}4756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:07.203{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF3A23FEA0D0EB949C68C068EAD6B52,SHA256=20D7F8B799D847F0B81D4FE9924E333757FFAF3FE192DFBC8892C9530635A5F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:07.735{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09CFC93084E1F475495EAE8AE2F1D867,SHA256=B43CBD3D8D9536678618A06EDC328737F85F0AC9FE96EA1B24E8ACB6F17FB242,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000347826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:05.430{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63524-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000347832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:08.806{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A4FA56681A832C31E32016BE85EB314,SHA256=D2D0F97F77FEB920E547045252585C5A038D83471EEDBEE949453B1D41B2F00D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.878{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E60-6323-F500-000000007602}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.878{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.878{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.878{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.878{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.878{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4E60-6323-F500-000000007602}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.878{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E60-6323-F500-000000007602}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.880{E743DC12-4E60-6323-F500-000000007602}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.659{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FEA3941E879BDCE31434D2BDCD919B35,SHA256=01E82C8788BFB02C1290D4C2771C31DE8D4940488A8C157CD6749871599BFE82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.465{E743DC12-4E60-6323-F400-000000007602}37481816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.401{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BCC659F07B458E44B0A087563AB79C,SHA256=C122395E596FF6D8D966B661279560669936BE07FE3E0AB183D6753415782724,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.292{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E60-6323-F400-000000007602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.289{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.289{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.289{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.289{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.289{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4E60-6323-F400-000000007602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.288{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E60-6323-F400-000000007602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.289{E743DC12-4E60-6323-F400-000000007602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000347831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:08.670{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=7A1B923530FB73D71B9C00CECB4F5088,SHA256=1270841E1FF9B084FD6EE5740D492D1B753DECE164CC12AF0E28036315A89048,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:08.505{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:08.505{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000347828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:08.236{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=AB4A7F257C785357D2C1E6D4F44570CF,SHA256=D68E2E342882FF54B5BA3861C6229052A626D4B6853DDBF4ACFCF0A07F2A55C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:09.939{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FEC6F59E3BB8849FBC8AD6E9A3DD088,SHA256=0B1534A7EB0BA5476DEB3032B9C6EAA60A40285D28C5F0F3916AE4327AD281CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:09.730{E743DC12-4E61-6323-F600-000000007602}49964724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:09.551{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E61-6323-F600-000000007602}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:09.546{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:09.546{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:09.546{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:09.545{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:09.545{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4E61-6323-F600-000000007602}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:09.545{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E61-6323-F600-000000007602}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:09.545{E743DC12-4E61-6323-F600-000000007602}4996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:09.500{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8C25B4CAB478654D00C68B43A82AD8A,SHA256=57E535504ABA4010CBA81DF6B0FC429CB954EDFC380BC33A0D23A0B0567C10AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:09.480{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0BC2586A174D7CB52AADE12B9CADE7D4,SHA256=E65CAE67129B8E538317004C226A6B1F1A3ADC499DA96729ABE7D5FCA5EC0D9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000347838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:07.266{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63526-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local49666- 354300x8000000000000000347837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:07.266{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63526-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local49666- 354300x8000000000000000347836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:07.265{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63525-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000347835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:07.265{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63525-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 23542300x8000000000000000347834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:09.174{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F00D8EC5AEA79D48CC178501CAE00887,SHA256=C31BB30EC1DE8C6E8CC5EF03EFE914537FEA2AFB015AD2056E228F820CE48D70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:09.122{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=A0F973F6FC7EBF94BFD24892B7876890,SHA256=FA03EB49D8F46DFDE7858252A6ADCB6619DC51279AF29E721666E33E1F7B5FE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:08.339{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49873-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000190404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.806{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E62-6323-F800-000000007602}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.806{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.806{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.806{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.806{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.806{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4E62-6323-F800-000000007602}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.806{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E62-6323-F800-000000007602}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.807{E743DC12-4E62-6323-F800-000000007602}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.581{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B8A14505BB0689C17E18D9937CFF59,SHA256=AFF9A7BAB498159B3D020A8C7E232EFD7AED540D92B62B9DA6D391C1ED2F69DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:10.481{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:10.481{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 22542200x8000000000000000347841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:07.272{6820D070-4ACF-6323-0B00-000000007502}620win-dc-ctus-attack-range-403.attackrange.local010.0.1.14;C:\Windows\System32\lsass.exe 22542200x8000000000000000347840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:07.272{6820D070-4ACF-6323-0B00-000000007502}620win-dc-ctus-attack-range-403.attackrange.local0fe80::2135:d7af:67a3:9d8d;C:\Windows\System32\lsass.exe 10341000x8000000000000000190395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.370{E743DC12-4E62-6323-F700-000000007602}49563412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.214{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E62-6323-F700-000000007602}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.214{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.214{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.214{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.214{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.214{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4E62-6323-F700-000000007602}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.214{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E62-6323-F700-000000007602}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:10.215{E743DC12-4E62-6323-F700-000000007602}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.757{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E63-6323-F900-000000007602}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.757{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E63-6323-F900-000000007602}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.756{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E63-6323-F900-000000007602}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.756{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E63-6323-F900-000000007602}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.756{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E63-6323-F900-000000007602}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.756{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E63-6323-F900-000000007602}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 23542300x8000000000000000190415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.650{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9451B5117A481A3F87204C09BA199CEC,SHA256=7F73E4041E7A80023D1544526CEAD0F2C99DE8997492035B4D530F55E8277538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:11.680{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:11.680{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:11.404{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:11.404{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000347844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:11.003{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=540B3D0AA364A07D98310134EB0EFACF,SHA256=98542C006FC51DF77E0EA95847EED55E83F5EC2570DECD010EAB2B11E6F96A0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.487{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E63-6323-F900-000000007602}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.487{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.487{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.487{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.487{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.487{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4E63-6323-F900-000000007602}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.487{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E63-6323-F900-000000007602}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.488{E743DC12-4E63-6323-F900-000000007602}4980C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:11.009{E743DC12-4E62-6323-F800-000000007602}50004964C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:12.723{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A766AA9483048B2735DE5260E0BF0C,SHA256=202197DDE3D6CA138F3F3F5B6C7DC8BD89B5AF31CAE8A22D4C40B087E28D9385,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000347857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:10.655{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63530-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000347856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:10.655{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63530-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000347855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:10.650{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63529-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000347854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:10.649{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63529-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000347853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:10.649{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63528-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000347852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:10.649{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63528-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000347851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:10.640{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63527-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000347850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:10.640{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63527-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000347849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:12.046{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D7E99EE6AE424A601264BE494A1EB9,SHA256=B2C58E349BDC216B0DCBD5BB058EB400753D66B9A5D3CE535095731ABA5CB370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:12.017{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=2CB85FFEFA9CC4CB5E8CC5ACDB5EC28E,SHA256=CF0ECB406247775DC36E0071F0CEA2FF03E8E9075F3FA6DCF309A6523F6D6B74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:13.811{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16783A109C250084337F57E0F8BBF90D,SHA256=E45472FC7EDE064A2047F68658E1A5D5061351D55BB3C79F2FC33547D8337361,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000347863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:11.242{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63532-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000347862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:10.656{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63531-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000347861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:10.656{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63531-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 10341000x8000000000000000347860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:13.573{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:13.573{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000347858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:13.094{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=068D0FA0E070EE29C40129856C80A6DB,SHA256=2EDF5B02656BB4AFB77EFEF4134957F743049431CCD39F17658E84A365C41130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:14.883{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345B2729565F7C58A62D8641D584CEAA,SHA256=D264C037063C5ED127289F508C181CF790890EE2880A440BB76F9039F17ED7CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:14.167{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8D8BDEE48BCA6A2D1E48F91F31ABA1,SHA256=28C436BDE4C73A9005F7064B58ED9A6458E49E627958F4F66B6F6B3DC20C0CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:15.977{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16FD7159D0BFA3CB43B71F71B096C8A7,SHA256=4EC2551D7B1BA8041221BD2A430F4B3675D30D83CF819EF7F692DF8229AB564B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:15.234{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EA35E474916874619E5313F745DBB11,SHA256=4ABD4AC823923DA8E728082798D6B46165154C39CA8D666FBC9DC067A46CB459,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000347867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:14.126{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63533-false169.254.169.254-80http 23542300x8000000000000000347866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:16.251{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13F0180B24C870F3EA51316B84E2E86,SHA256=E27CEF9C7A0C7E732DCEA388E41A704962D814474B9DF3C95242B51E0CFC0118,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:17.799{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:17.799{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000347868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:17.336{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB372620F75FC787FAD41C30664F1E6,SHA256=26A79A5E9200DC1B752E047177000879A775F3FDB0808E769667E506FB164B8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:17.248{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92AEE1B2768EEBB21E3B32E4177ADA05,SHA256=5CFFF4B57D8E21540B4EF303A847C8F89F0FC6379449B35431C01A6DE1F86FA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:14.287{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49874-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000347872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:16.279{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63534-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000347871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:18.436{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB58B844C2F3A31485F92AF6BDEEDC26,SHA256=D3FC05A20459EB30A46DD641BDF659148E8674D3B87ADD9E88ED3FD59F1DF924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:18.345{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94D385FC0950EA858261B293336A1A99,SHA256=DE396D2C45833429B3A1A5AC6C8C1C454BE792BAB3ED7FE746B67247A56A7634,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.794{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.793{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.789{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000347896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.530{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C22D7170D40EDA38BFDC340BBC6A1E4,SHA256=C44A43193CB595372402A029BE0414731F8F3913C05CD3615858FE91278B0272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:19.425{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E2DFE2A1019AF25E05C0A26F4C04A4F,SHA256=38C992CBD8B1A69A108FD170DD0F1457FF89BFD35DCDD2CF92A6D5420A57B778,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.360{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.354{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.352{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.352{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.348{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.324{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.312{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.305{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.303{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.297{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.283{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.261{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.256{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.251{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.242{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.234{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.227{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.216{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.209{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.200{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.193{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.155{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:19.151{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000190432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:20.715{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:20.512{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD72BEC800E46C0C08FADBDA7FA419A,SHA256=28AC3DA722D566523E372C24B6D934B728AF63A7F68B68EB158B9B29BF5C6690,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:20.590{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B71C58865598DA326662FD928C6F64,SHA256=CFB0DC9B50D07403BB2FC04F3389E962F3B8354A357587525D09899BBF9805FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:21.830{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5D0CB1F74ECB7E7FE18EB82758627F,SHA256=17AA660994F492412042266CF0B4B0CDE9173FAD7B78E297E456A1754B32C25A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.878{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.874{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.870{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.868{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.864{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.860{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000347910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.675{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF5458CB044DAD03F7FEFDA126905E84,SHA256=CE26394980C5A1A47A3AFBF94A3EF6B51AB804BD12F7DAB1E655A19AEFC8F103,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.638{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000347908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.638{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000347907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.638{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000347906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.631{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000347905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.631{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000347904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.616{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000347903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.615{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:21.466{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915155459-014MD5=36EB26F9EED14D2A649109B5B0D3FC1A,SHA256=D5225DBB467937E991D5678F78067E4612BF477D9EC2143F1C43E71004CE921E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000347902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.583{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.583{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:22.914{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55407F8B9FD65C0A48E2778159624FD9,SHA256=105B89003D84C50089726551D65CA647B85F05B45A8409CBFE444D554D7FAA1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000347945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.910{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=928F174CEC6E5DAA46BE0110D7F82F83,SHA256=8E6C49E553D735CA172A0271ABC383FF62FDEC3AA6C57A38CCFEA87CA1B48436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:22.474{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915155457-015MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:19.941{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49876-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000190435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:19.376{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49875-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000347944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.583{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.575{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.571{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.567{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.565{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.559{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.554{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.549{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.545{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.540{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.538{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.521{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.495{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.486{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.468{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.437{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.424{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.416{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.411{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.409{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.407{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.405{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.403{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.401{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.397{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.396{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.394{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000347917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:22.393{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000190448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:23.992{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E470597AD11A83FE791D1152CD183894,SHA256=52107A63F3E592AAAB0C9C410B7A4B54E47ADF4F0746D1BC3F0344B311D053A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:23.988{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:23.980{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:23.970{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:23.964{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:23.955{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:23.948{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:23.940{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:23.933{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:23.930{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 354300x8000000000000000348002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:21.406{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63535-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000348001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.846{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 23542300x8000000000000000348000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.846{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.846{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000347998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.840{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000347997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.824{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000347996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.824{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000347995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.822{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000347994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.821{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000347993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.820{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000347992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.809{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 23542300x8000000000000000347991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.801{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=BF12653DBEE53E0572427FED9079A79D,SHA256=159F9A6795A155B5B7E9EB3426EAB6CEBE050CA5810BE824705131F49BC90FB1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000347990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.801{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000347989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.801{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000347988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.800{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000347987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.796{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x8000000000000000347986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.773{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.773{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.773{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.772{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.772{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000347981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.772{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000347980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.772{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000347979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.754{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000347978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.743{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000347977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000347976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000347975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000347974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000347973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000347972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000347971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000347970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000347969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000347968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000347967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000347966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000347965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.724{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000347964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.723{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000347963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.723{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000347962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.721{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000347961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.721{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000347960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.721{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000347959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.717{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000347958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.716{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 10341000x8000000000000000347957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.715{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000347956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.714{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000347955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.714{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000347954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.713{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000347953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.712{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000347952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.712{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.712{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.712{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.712{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000347948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.696{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000347947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.696{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000347946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.540{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.987{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71604489873EE344E5F230D54AE655A1,SHA256=B9DEA9BAEC15F2B8B61A7F76D7B0FF3FE41C6C977029EEE9FD538ABCB9B0AAAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.829{6820D070-4E70-6323-4801-000000007502}1009210096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.829{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000348062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.828{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000348061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.798{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000348060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.798{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000348059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.798{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000348058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.798{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000348057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.798{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000348056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.797{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000348055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.647{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000348054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.647{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000348053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.647{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000348052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.641{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000348051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.641{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000348050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.641{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000348049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.641{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000348048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.641{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000348047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.641{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000348046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000348045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000348044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000348043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000348042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000348041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000348040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000348039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000348038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000348037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000348036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000348035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000348034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000348033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000348032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000348031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000348030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000348029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000348028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000348027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000348026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000348025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000348024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000348023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.625{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000348022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.624{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000348021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.624{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.624{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000348019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.623{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.622{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000348017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.622{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000348016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.621{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.621{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000348014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.620{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.620{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.620{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.620{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.619{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000348009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.619{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000348008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.442{6820D070-4E70-6323-4801-000000007502}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000348007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.615{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2567E666EF22F31E0425BDA4679BE11F,SHA256=D68F36DC4151A1CB0C92043D461A3131FFB7CAE425A7268D5A1C0D40525C7A40,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.085{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000348005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.085{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000348004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.080{6820D070-4E6F-6323-4701-000000007502}7600C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000348003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:24.025{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56879817A27BD48122F0D8C02CC20F5D,SHA256=0526D05AAE957437FE1012272B4BCDF9DE5308BDFC0F3D12D47BB463AE010582,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.182{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.173{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.157{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.146{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.140{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.134{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.132{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.127{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.121{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.120{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.117{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.116{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.112{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.110{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.109{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.107{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.098{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.094{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.092{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.089{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.078{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.063{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.046{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.044{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.036{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.009{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:24.002{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 354300x8000000000000000348122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:23.008{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63536-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 734700x8000000000000000348121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.695{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000348120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.695{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000348119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.695{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000348118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.520{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000348117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.519{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000348116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.519{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000348115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.518{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000348114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.516{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000348113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.516{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000348112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.515{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000348111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.515{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000348110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000348109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000348108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000348107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000348106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000348105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000348104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000348103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000348102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000348101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000348100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000348099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000348098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000348097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000348096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000348095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000348094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000348093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000348092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000348091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000348090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000348089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000348088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000348086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000348085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000348084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000348083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000348082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 23542300x8000000000000000348081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C5B5DD974C4F1D3309FCC5DD0778DE3,SHA256=B953526F256DBD364EC58C442973F03EB431736F14A26EF40AFC22A996CFAC80,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000348079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000348078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 23542300x8000000000000000348077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5C918FFAFACD1DE5A8A8EBDAEFDFE47,SHA256=18E83BA9106787F4A47CEC33750CAADA2276F13F509CA747D718E3523BC46F8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000348074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.494{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000348073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.479{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.479{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000348071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.479{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.479{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.479{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000348068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.479{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.479{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.479{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000348065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.326{6820D070-4E71-6323-4901-000000007502}7780C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000348174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.627{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52844FC5ECAB4A89556293AAB8C84622,SHA256=2B2DBA557B29C49BF67143A576FF509BA697A7FF2513A217E8348EA8031DA4CE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.581{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000348172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.581{6820D070-4E72-6323-4A01-000000007502}81528176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.581{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000348170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.581{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000190477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:26.051{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5DDD2D197D00183A20472AB1024895,SHA256=FF259156DEDEB8DC424B593579A917EE45C3C19C9B151D3EE10DE5336795BC39,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.395{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000348168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.395{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000348167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.395{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000348166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.395{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000348165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.395{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000348164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.395{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000348163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000348162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000348161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000348160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000348159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000348158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000348157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000348156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000348155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000348154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000348153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000348151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000348150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000348149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000348148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000348147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000348146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000348145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.379{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000348144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000348143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000348142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000348141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000348140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000348139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000348138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000348137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000348136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000348135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000348134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000348132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000348131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000348129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000348124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.364{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000348123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:26.203{6820D070-4E72-6323-4A01-000000007502}8152C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000348269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000348268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000348267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000348266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000348265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000348264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000348263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000348262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000348261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000348260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000348258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000348257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000348256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 23542300x8000000000000000348255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFE56D19D4978C7B2F14D849507B70A,SHA256=0A95F5C6A6C947BAEAD75BCD118A4B7B81ED6F2112F484DB7852DA22B0856695,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000348253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000348252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000348251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000348250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000348249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000348248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000348247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000348246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000348245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000348244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000348243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000348242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000348241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000348239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000348238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000348236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000348233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.981{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000348230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.982{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:27.139{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747A570D54D2040C87994D7CCB09B7DE,SHA256=EF6D1480FC9EFEB04C9CB60011781F989D47FB9F8D7F988EC9B1CEE0220890E6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.528{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000348228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.527{6820D070-4E73-6323-4B01-000000007502}81888148C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.517{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000348226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.516{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000348225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.396{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=06F0288FC6BB52A4EF5733A38269AE36,SHA256=5226A16BAB468B453CFBB6FA8A51B14B1511A1F42EE56EC25169FFEF501B8C8C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.326{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000348223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.326{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000348222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.326{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000348221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.324{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000348220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.319{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000348219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.318{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000348218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.318{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000348217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.315{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000348216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000348215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000348214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000348213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000348212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000348211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000348210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000348209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000348207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000348206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000348205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000348204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000348203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000348202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000348201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000348200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000348199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000348198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000348197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000348196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.296{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000348195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000348194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000348193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000348192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000348191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000348190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000348189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000348188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000348186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000348185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000348183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000348178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.280{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000348177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.112{6820D070-4E73-6323-4B01-000000007502}8188C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000348176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.127{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.127{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000190480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:25.307{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49877-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:28.242{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D1402688D47775DA164822BF03B5489,SHA256=C3A9029528634BFD2481BCE96BCA0273FE2A6978707956678A069C7495EFCDC7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.850{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000348330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.849{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000348329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.848{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000348328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.847{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000348327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.845{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000348326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.845{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000348325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.845{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000348324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.838{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000348323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.836{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000348322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.815{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000348321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.815{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000348320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.815{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000348319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.815{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000348318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.815{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000348317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.815{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000348316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.815{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000348315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.815{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000348314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.815{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000348313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.815{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000348312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.814{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000348311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.814{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000348310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.814{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000348309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.814{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000348308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.814{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000348307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.814{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000348306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.814{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000348305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.811{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000348304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.811{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000348303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.811{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000348302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.811{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000348301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.811{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000348300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.811{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000348299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.811{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000348298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.811{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000348297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.811{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.810{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000348295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.810{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.809{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000348293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.806{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000348292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.806{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.804{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000348290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.803{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.803{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.803{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.803{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.802{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000348285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.802{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000348284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.646{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000348283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.167{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000348282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.167{6820D070-4E73-6323-4C01-000000007502}66406660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.167{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000348280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:28.167{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000348279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.814{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63537-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000348278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:25.814{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63537-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 734700x8000000000000000348277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.997{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000348276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.997{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000348275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.997{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000348274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.997{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000348273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.997{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000348272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.997{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000348271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.997{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000348270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.997{6820D070-4E73-6323-4C01-000000007502}6640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 23542300x8000000000000000190481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:29.309{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4441773D952215E25B60ED19DE395C8C,SHA256=C5E2055AB3D69F2D6654F81559C98AEE096E00E258733A1F02CD348FE4D1BAF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:29.168{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BAEDF228BA8F03F3991CF86FA765F91,SHA256=9E634F31B3F22DBBF2EF618EB10AB9882BF07B002B5764757BF4B11B701FA217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:29.082{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B49295EB6E952CF8C0BFB15AA1582DCA,SHA256=989CDEFBD69D6A5C4DC46D90657ADAAD84F4F247C7DDA3D5BE5C4E3D117832D7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:29.051{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000348333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:29.051{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000348332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:29.051{6820D070-4E74-6323-4D01-000000007502}6512C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000190482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:30.389{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE8224FE675C47FFDCF70AC2055CE0FB,SHA256=02BBB27D9003AA2BB9CE11EC35525247A5D97DB8E04522C3FFEFA4DF688F08A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:30.119{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8725AE509C1DACD92B10B3C2FF37AA3B,SHA256=4C7BAAAA457FCFAFC7DE037E7582D532948C906581255B91C60318B5A0C0177F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:31.470{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F590A588EA0245AE6A6E7766DE81108,SHA256=217CE56BF1759D8593C94DFC23A1510D30CCCC01472FA1CAF181DF76F90CC828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:31.186{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41F6C9087F230400B8F438C0D242CF00,SHA256=B8823ED539C0277C51AADE57BC0619B1A16657A71361BBA8837106F7C1A3AE8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000348343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:27.293{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63538-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000348342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:31.053{6820D070-4B7F-6323-9900-000000007502}29725752C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:31.053{6820D070-4B7F-6323-9900-000000007502}29725752C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:31.053{6820D070-4B7F-6323-9900-000000007502}29725752C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:31.000{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:31.000{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:32.556{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9698899D960366B42C74E81E418800F5,SHA256=36292254F68A6D99A6B15DBD2E6AB9C9E068BCE01B830653B36537F494E2C9AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.812{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000348417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.812{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000348416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.812{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000348415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.789{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=787B94049CFD33DA6C162ACF38CA52DF,SHA256=0D9D730000802C6507177DDC06D30A0F011CC6E8F740F773544DBBFA4E8A51FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.775{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(000000000ABD9240)|UNKNOWN(000000000ABD9008)|UNKNOWN(000000000ABD8EA6)|UNKNOWN(000000000ABD8DEC)|UNKNOWN(000000000AB7057E)|UNKNOWN(000000000AAAFC09)|UNKNOWN(000000000AAAF531)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5) 10341000x8000000000000000348413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.775{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000ABD9008)|UNKNOWN(000000000ABD8EA6)|UNKNOWN(000000000ABD8DEC)|UNKNOWN(000000000AB7057E)|UNKNOWN(000000000AAAFC09)|UNKNOWN(000000000AAAF531)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC) 10341000x8000000000000000348412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.656{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(000000000AB70D00)|UNKNOWN(000000000AB70A1C)|UNKNOWN(000000000AB704CA)|UNKNOWN(000000000AAAFC09)|UNKNOWN(000000000AAAF531)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5) 10341000x8000000000000000348411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.656{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000AB70A1C)|UNKNOWN(000000000AB704CA)|UNKNOWN(000000000AAAFC09)|UNKNOWN(000000000AAAF531)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E) 10341000x8000000000000000348410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.656{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AB70C4A)|UNKNOWN(000000000AB70ADF)|UNKNOWN(000000000AB709EF)|UNKNOWN(000000000AB704CA)|UNKNOWN(000000000AAAFC09)|UNKNOWN(000000000AAAF531)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000348409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.634{6820D070-4E46-6323-4401-000000007502}51766296C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA70FA)|UNKNOWN(000000001B0CFAB2)|UNKNOWN(000000001B0CF286)|UNKNOWN(000000001C3EF715)|UNKNOWN(000000001C3EF637)|UNKNOWN(000000001B29D9E9)|UNKNOWN(000000001B29D841)|UNKNOWN(000000001B29D7F9)|UNKNOWN(000000001B29D69A)|UNKNOWN(000000001B29D4FE)|UNKNOWN(000000001B29D313)|UNKNOWN(000000001B29D1BC)|UNKNOWN(000000001B29C087) 10341000x8000000000000000348408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.634{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+15b8f(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+fdd2(wow64)|UNKNOWN(000000000AAA7DFE)|UNKNOWN(000000000AAA6E69)|UNKNOWN(000000000AAA5C1F)|UNKNOWN(000000000AAA5730)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E) 10341000x8000000000000000348407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.630{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000AAA6E69)|UNKNOWN(000000000AAA5C1F)|UNKNOWN(000000000AAA5730)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000348406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.627{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.625{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA70FA)|UNKNOWN(000000000AAA6D52)|UNKNOWN(000000000AAA5C1F)|UNKNOWN(000000000AAA5730)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64) 10341000x8000000000000000348404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.620{6820D070-4E46-6323-4401-000000007502}51766468C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA4B7F)|UNKNOWN(000000000AAA4005)|UNKNOWN(00000000096CFBB2)|UNKNOWN(00000000096CF8F5)|UNKNOWN(000000000965E1C7)|UNKNOWN(000000000965E147)|UNKNOWN(000000000965DF5C)|UNKNOWN(0000000009658165)|UNKNOWN(0000000009657B96)|UNKNOWN(0000000009657AD0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|UNKNOWN(000000001B29D69A)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64) 10341000x8000000000000000348403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.587{6820D070-4E46-6323-4401-000000007502}51766552C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64) 10341000x8000000000000000348402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.587{6820D070-4E46-6323-4401-000000007502}51766552C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000348401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.587{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET External Data Access SupportMicrosoft® .NET FrameworkMicrosoft Corporationcordacwks.dllMD5=0ACFE06D73EFBCAFACF72A22F7D79E91,SHA256=525591629E48EC84FE78DBC621AE91536E7039B50593B60AD6B3801B1F91EB5A,IMPHASH=F0FBF635B7EFD828980AA6937580AF82trueMicrosoft CorporationValid 10341000x8000000000000000348400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.587{6820D070-4E46-6323-4401-000000007502}51766552C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000348399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.587{6820D070-4E46-6323-4401-000000007502}51766552C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000348398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.571{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_d08e1538442a243e\msvcr80.dll8.00.50727.9268Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMSVCR80.DLLMD5=26A95438C2D0E0C41B73D19400F4C2DB,SHA256=CC97DCB66E3150CD14294D21AD0E10C7472DF45CAF37E49675A70ED406882BE2,IMPHASH=7FECBC4A16A5DC85A5394A1DF6217680trueMicrosoft WindowsValid 734700x8000000000000000348397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.571{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationmscorwks.dllMD5=25CEE067AED86FF988C8D31BD7212A21,SHA256=3E0987EFC92F4BCD2798934A70BBEDCADB37899B4F6225279F3685A0DB5BB2F8,IMPHASH=C8D17502D1A38C77CC8770F7291FD333trueMicrosoft CorporationValid 734700x8000000000000000348396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.571{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 734700x8000000000000000348395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.571{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000348394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.571{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000348393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.571{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000348392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.571{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000348391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.556{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=8B516F883167509677B58B9984D8EEA2,SHA256=47F9B88E4038517FC8C5FEB3AC04B21A885EE505143952C96A23FE851869A90E,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000348390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.534{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000348389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.534{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000348388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.534{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=9629C30BA0F10D72FD189FCA987B0E29,SHA256=4DDAF3BB8CE239A8AD41F333AE7D2AD6B7763B9ED8B862695B67F60E5ADE031C,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x8000000000000000348387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.519{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6CE01AB1C2063B171AD7432B130FEBBD,SHA256=F554E9818C54F6C760C6E53BAEABCA3F5CAD683C028460307F3D93C7A8B06F02,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000348386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.502{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120,IMPHASH=25F1E57C7A6ED06AAF329CB7B168FA29trueMicrosoft CorporationValid 734700x8000000000000000348385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.502{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x8000000000000000348384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.502{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000348383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.502{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=1B90C58145F4B3C0743C470793469AD6,SHA256=21D752964E10DBB4DFC589856AA808D31E301B93C9E5FF6D1655D32FBD00AF44,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x8000000000000000348382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.502{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x8000000000000000348381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.487{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000348380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.487{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000348379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.471{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7,IMPHASH=8B861EA72FDD6FC722328B2746B13380trueMicrosoft WindowsValid 734700x8000000000000000348378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.471{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=25ADC994F9AF8716E35487995DDB45CE,SHA256=47B573E7708AAA00F2BE6E8EB7F3CB1B4817E65FACBBB1D772970A8F710DAF61,IMPHASH=6E1D0A92C1917EFBFC1EEA82FA5E155FtrueMicrosoft WindowsValid 734700x8000000000000000348377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.455{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000348376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.455{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77,IMPHASH=900F88A34CE398C54C9022F5335E8EA9trueMicrosoft WindowsValid 734700x8000000000000000348375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.455{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000348374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.455{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000348373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.455{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000348372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.455{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000348371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.449{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000348370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.449{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000348369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.434{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x8000000000000000348368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.434{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=B04953E4C38042AD2628FA49AB42AB5C,SHA256=7B2B4662D3EE0D6DD673C0FEEE4B28E2E16ABF534DF3076497C6B6B40E8BE9C1,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.425{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exeMD5=3C907809BF409DFC1B14320749711692,SHA256=2C23D19BE9D8132A791A3EE3983212BA4CF82ADAB54F87642AF572721BB081AE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 734700x8000000000000000348366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.425{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000348365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.424{6820D070-4E46-6323-4401-000000007502}51766416C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+f6f0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+eb46(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a9a1(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000348364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.422{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.422{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.422{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000348361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.422{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.422{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.422{6820D070-4E46-6323-4401-000000007502}51766416C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9328(wow64)|C:\Windows\System32\KERNELBASE.dll+d800c(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a871(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a937(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000348358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.419{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exe"C:\Temp\agent_tesla-deob.exe"C:\Temp\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2HighMD5=3C907809BF409DFC1B14320749711692,SHA256=2C23D19BE9D8132A791A3EE3983212BA4CF82ADAB54F87642AF572721BB081AE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000348357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.418{6820D070-4AD1-6323-1000-000000007502}4286492C:\Windows\System32\svchost.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.402{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.IO.Pipes.dll6.0.21.52210System.IO.PipesMicrosoft® .NETMicrosoft CorporationSystem.IO.Pipes.dllMD5=EA7FE76F30C84D09A935D61CAA8028DD,SHA256=09330878D5A90173B44D57FFA817AE86E7A19A551FA1DC87E5F73085401A6514,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000348355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.402{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Console.dll6.0.21.52210System.ConsoleMicrosoft® .NETMicrosoft CorporationSystem.Console.dllMD5=A9DC3BBD8195E7D81166401EDA15311F,SHA256=0FF716986D219C72C0AC9AB96CC29B6A92B6FA3BB827D13FF2AD886BAE67C0A0,IMPHASH=00000000000000000000000000000000true.NETValid 734700x8000000000000000348354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.386{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationmscorwks.dllMD5=25CEE067AED86FF988C8D31BD7212A21,SHA256=3E0987EFC92F4BCD2798934A70BBEDCADB37899B4F6225279F3685A0DB5BB2F8,IMPHASH=C8D17502D1A38C77CC8770F7291FD333trueMicrosoft CorporationValid 10341000x8000000000000000348353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.334{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.334{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_d08e1538442a243e\msvcr80.dll8.00.50727.9268Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMSVCR80.DLLMD5=26A95438C2D0E0C41B73D19400F4C2DB,SHA256=CC97DCB66E3150CD14294D21AD0E10C7472DF45CAF37E49675A70ED406882BE2,IMPHASH=7FECBC4A16A5DC85A5394A1DF6217680trueMicrosoft WindowsValid 734700x8000000000000000348351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.331{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Debugging ServicesMicrosoft® .NET FrameworkMicrosoft Corporationmscordbi.dllMD5=3EC5E57DE99ADCD975E2447DA34AA6A9,SHA256=09FBDF531A60D66B7C911CC3ECC05C62506D442F0D778399B62985DF24845E43,IMPHASH=576AFCE6C6BCCCE6C07B4EC3638A6879trueMicrosoft CorporationValid 734700x8000000000000000348350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.303{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120,IMPHASH=25F1E57C7A6ED06AAF329CB7B168FA29trueMicrosoft CorporationValid 734700x8000000000000000348349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.287{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77,IMPHASH=900F88A34CE398C54C9022F5335E8EA9trueMicrosoft WindowsValid 23542300x8000000000000000348348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.271{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7375EF3CD368C405171C98FB58C18015,SHA256=EBBCBDA7AA347609776F21BCC27FC845986091E0C1D5DCD482B93254FDFCF526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.207{6820D070-4B7F-6323-9900-000000007502}29725752C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.207{6820D070-4B7F-6323-9900-000000007502}29725752C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.207{6820D070-4B7F-6323-9900-000000007502}29725752C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:33.639{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72EDE0D19965518CDCDC44865CA25CB0,SHA256=DFC1107C1D2B30DEE9A9BBAF549726368964A826C66A7DC09EAC81977453FE3F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.830{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017009443)|UNKNOWN(00000000170093C9)|UNKNOWN(000000001700933D)|UNKNOWN(0000000017009266)|UNKNOWN(0000000017009172)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 734700x8000000000000000348472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.822{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll2.0.50727.8745 (WinRel.050727-8700)WMINet_Utils.dllMicrosoft® .NET FrameworkMicrosoft CorporationWMINet_Utils.dllMD5=FE3A877218F498F90DD1D097FB770BFA,SHA256=7B7AB5348E3143DB00D0FCE36E5A75867046B5C60FC52DC9E0A166CA2FDF714E,IMPHASH=422758B458E7A457D744549F961156CCtrueMicrosoft CorporationValid 734700x8000000000000000348471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.707{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.707{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.707{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.676{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000348467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.676{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000348466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.676{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000348465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.660{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.5246 (rs1_release.220701-1744)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=2A16D108FE99577ABCC08B92F2765971,SHA256=AF5268F39CE35FA3215E8162A0BF4C1949D0F5FB7A284953362ED23507C5697F,IMPHASH=36E120EA05F8714D20693A7DA02D7326trueMicrosoft WindowsValid 734700x8000000000000000348464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.660{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000348463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.660{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000348462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.654{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000348461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.654{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000348460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.654{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2F,IMPHASH=844732D10340F10C1E97778BA10CF30EtrueMicrosoft WindowsValid 734700x8000000000000000348459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.638{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000348458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.638{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000348457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.638{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000348456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.638{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 734700x8000000000000000348455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.638{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9,IMPHASH=CAC6B3339C5CAA083E24A4484EE86E29trueMicrosoft WindowsValid 10341000x8000000000000000348454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.637{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.627{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587B,IMPHASH=34AF29CE553D01A9CE643682A40D7CB5trueMicrosoft WindowsValid 734700x8000000000000000348452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.624{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040C,IMPHASH=789B4484C292CAC32E0806DEE3E8734AtrueMicrosoft WindowsValid 734700x8000000000000000348451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.607{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6D,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 10341000x8000000000000000348450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.508{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.493{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 23542300x8000000000000000348448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.493{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E1F0257D84314C8841BA000097B6067,SHA256=FDF41D4F65081DEA3BE07A419698C40F7F3CEC6D7403EB6B5591489C02EEA8C2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.493{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.493{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.461{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.461{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.461{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.407{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.407{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.407{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.360{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll8.0.50727.8745 (WinRel.050727-8700)Dia based SymReaderMicrosoft® Visual Studio® 2005Microsoft Corporationdiasymreader.dllMD5=7D6A7AD508368F8A41E19A593BF8152A,SHA256=9385717A62043C46A22A99893139475ACB44C0096DDE9954C9BDED721F4581A2,IMPHASH=E2ADD10FCF5C120524D6149FB9E129DEtrueMicrosoft CorporationValid 23542300x8000000000000000348438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.338{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DC7B979EEC15F827E32A0A05B26C16E,SHA256=A94C8DBB04D046B9BD1F08D14E6A46AEC1E2BA5C0AF97F017BD033AD31AD9592,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.273{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationmscorjit.dllMD5=942A0FD4301180517656DF2D7DF45574,SHA256=B9648A085BD060F253D28351E5FED798CE5893B69FA4E221D44C99F460D05936,IMPHASH=458AE5B7483D2B3344CEEB01EB67E386trueMicrosoft CorporationValid 10341000x8000000000000000348436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.273{6820D070-4AD1-6323-1500-000000007502}12201948C:\Windows\system32\svchost.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.273{6820D070-4AD1-6323-1500-000000007502}12201256C:\Windows\system32\svchost.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.273{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x8000000000000000348433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.273{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 734700x8000000000000000348432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.211{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Diagnostics.FileVersionInfo.dll6.0.21.52210System.Diagnostics.FileVersionInfoMicrosoft® .NETMicrosoft CorporationSystem.Diagnostics.FileVersionInfo.dllMD5=7A821EAD4D7540D01F04760B7BFC2E44,SHA256=C81E962AE4948E463E2A48A5C4BFFE917AD8344329229C3E4BCB7C8E20DCD2A1,IMPHASH=00000000000000000000000000000000true.NETValid 354300x8000000000000000190485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:31.279{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49878-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000348431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.157{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\SysWOW64\psapi.dll10.0.14393.0 (rs1_release.160715-1616)Process Status HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationPSAPIMD5=7B73FC5AD82AF0FB84212106455E0D48,SHA256=CF6A2C746B3A9B9294A41DE686ED35FC99BB6A8ABEA7DC6A81D15C67613B98D6,IMPHASH=8B487D2FE53FD7CA3451BEAFFC8EF197trueMicrosoft WindowsValid 10341000x8000000000000000348430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.157{6820D070-4E46-6323-4401-000000007502}51766468C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(0000000010FE048A)|UNKNOWN(0000000010FE0290)|UNKNOWN(000000000AC2F9A8)|UNKNOWN(000000000AC2EC64)|UNKNOWN(000000000AC2E1DD)|UNKNOWN(000000000AAA40EC)|UNKNOWN(00000000096CFBB2)|UNKNOWN(00000000096CF8F5)|UNKNOWN(000000000965E1C7)|UNKNOWN(000000000965E147)|UNKNOWN(000000000965DF5C)|UNKNOWN(0000000009658165)|UNKNOWN(0000000009657B96)|UNKNOWN(0000000009657AD0) 734700x8000000000000000348429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.157{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\Microsoft.Diagnostics.Runtime.dll1.1.2.42101Microsoft.Diagnostics.RuntimeMicrosoft.Diagnostics.RuntimeMicrosoft CorporationMicrosoft.Diagnostics.Runtime.dllMD5=F35A1B0788CE8A649D5D770AED379536,SHA256=47ADF5F9EED9C87ADA36BF0D9B3848632C0AFF44FB6DE456CCC57BD56B379CB2,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft CorporationValid 734700x8000000000000000348428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.132{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.126{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Globalization SupportMicrosoft® .NET FrameworkMicrosoft Corporationculture.dllMD5=22E9113EA0D1D8252314F23BAD16DD36,SHA256=A731E05FCFCE0B9FCF449DFB589A49C09FC63593D61676F5EE3977CBD47C64A9,IMPHASH=104E17C81D918D1C093DA532DC4F4DBEtrueMicrosoft CorporationValid 734700x8000000000000000348426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.125{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.125{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.080{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000348423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.079{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000348422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.074{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000348421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.071{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B05DBB473918152F51A7F5A10FE250C7,SHA256=85EA95E8D8B1123288E84E5DC8502584288D67B2C692B118411F37774479498B,IMPHASH=A7A8E1C7D8A348EDDDA81702A2FEC068trueMicrosoft WindowsValid 734700x8000000000000000348420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.022{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x8000000000000000348419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:33.019{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=65BF71AD92E68AC9BCDFA13C5FF0959D,SHA256=14FDD181EF550EAE500F4B617877BD2DC04827704704A56DCF30446AEEA2882A,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 23542300x8000000000000000190487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:34.706{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04E011EBA64B4AFB31A00572F9B7EC5,SHA256=C95F039781BD155C5E5E06B0667B9D7D280DEACD6C7DCE636857103E355AAC8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000348481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:32.309{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63539-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000348480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:34.937{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shfolder.dll10.0.14393.0 (rs1_release.160715-1616)Shell Folder ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationshfolder.dllMD5=83D8A4E04F99C5FD749D34CC4B970A0E,SHA256=0924F96973B3CE4F15BB7947E6C593B3EA1015E459BF70C3A247A31632EF2ACA,IMPHASH=A262E121DDB8823B3F2D530403B9D7E9trueMicrosoft WindowsValid 10341000x8000000000000000348479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:34.908{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:34.908{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:34.887{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:34.884{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\System32\wbem\WmiPrvSE.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 10341000x8000000000000000348475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:34.857{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017009443)|UNKNOWN(00000000170093C9)|UNKNOWN(000000001700933D)|UNKNOWN(0000000017009266)|UNKNOWN(0000000017009172)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 23542300x8000000000000000348474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:34.655{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DA88FF7A51B24A08C3D373141C5E8DD,SHA256=01C7F9014DDA798A4F355FABBC34DB2BBE9A26A9573AEFB68A67AAE341EF2F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:35.960{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9D3BBB3FD8CB7BC20B661E54630D47FD,SHA256=EF01ADE5CFFA3E31429295BED89BDED77F063C7527FEACAF1B3A2851DF8CED65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:35.759{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED340029AF813B6250ED3A325AAFD23,SHA256=E7C8376CB31A5FC5BF03FE51D5FD654ACCD2AF9E5310948B1302DCC36FEFA371,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:35.782{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5CB5564174B916476690DE013A2F00,SHA256=6FC4D714556AA11F84EBB57AA2AC781C674B3FAF5F31C426DDBD91947D0F4592,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:35.162{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\WinTypes.dll10.0.14393.5192 (rs1_release.220610-1622)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=C3EAC9E7B604696B078D4275571F58EC,SHA256=8A1F5F88F70C1BD511AE7D0E03D6ABAE1778D59D10041D17B562FE9190559A0A,IMPHASH=E5E8B16505186AC32311EE602EA3C845trueMicrosoft WindowsValid 734700x8000000000000000348485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:35.139{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\vaultcli.dll10.0.14393.5066 (rs1_release.220401-1841)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=0F9CC4F83FDD30CA09546038D0C1500F,SHA256=754954935A1BB01C0695252B16EDF251F7FF2D66BFB00450CF038D0AA079B844,IMPHASH=8721D7F174531C1C4F8942462C87C899trueMicrosoft WindowsValid 734700x8000000000000000348484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:35.093{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:35.093{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:35.093{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 23542300x8000000000000000190489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:36.872{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09E118988214178E9AAC386AADB6C48B,SHA256=11CB3ACAD92B3E9BFCA43D50C834866E50CC22EFA49FFE274B5D054306DEB1DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:36.819{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B67170685A30A40EF489976A2F88E4,SHA256=0DD9EF81E6B7D6951E9663FCB7026BFCDB21429D05108D83C9D6D999016D2F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:36.228{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915155514-014MD5=3EE9864ACDFFE78A8B2E0DEDF704C720,SHA256=3E9075B80C33CFA58EAF977E4450D367AD693E429428DFB55B91DE7FD240E49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:37.970{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90538F704E6F46CB318087FC16373C00,SHA256=6C7792466BFFA2CB4BE906B743A2183B02368CF9E8218B52841527EF94B184CF,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.907{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4,IMPHASH=3BCAD7DA03A0242A2A34491F77EA8067trueMicrosoft WindowsValid 734700x8000000000000000348500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.890{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rtutils.dll10.0.14393.4825 (rs1_release.211202-1611)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=AFD803265386C9791F6A26C98A52B1E4,SHA256=F7D8E4CCD3E32B9F3937C93940F0D6C5D453FB77C5E2E66C14B50C354FF934FF,IMPHASH=CA2D0A2353175BFD399FB5381901EA00trueMicrosoft WindowsValid 734700x8000000000000000348499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.890{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rasman.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access Connection ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRasman.dllMD5=5FA2F260361FC794573481F9EC54B03F,SHA256=58EE3CD71D7C6E004F4F99655C4BA715DF3A1F0305A2EC08F8662739AE5D97DB,IMPHASH=8B20BEBDEB3F8196B52FC66611947B06trueMicrosoft WindowsValid 10341000x8000000000000000348498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.941{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.890{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rasapi32.dll10.0.14393.4283 (rs1_release.210303-1802)Remote Access APIMicrosoft® Windows® Operating SystemMicrosoft Corporationrasapi32.dllMD5=AF871935624629AA6B8DE455E8FB6487,SHA256=1C68A46D61720D2ACE4B1A31AF289CA50FF0FF00120401D209630A8AE970C98A,IMPHASH=79522D6413DA1768058547C716FAB849trueMicrosoft WindowsValid 23542300x8000000000000000348496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.915{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E57ABDA71E3E593ACBA46BB7FACBFD,SHA256=E4DF6D6F730EFDD37D87E4B9EEF958AAA9D8F494521787C5B62073BDE26BABBA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.741{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.743{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.741{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 23542300x8000000000000000348492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.579{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=F43B67614F6BB82D171BC0B152FB4E72,SHA256=C2056BA9BFF0C4CD532E5D9EEB0BCB08102BDE57D130BC0F0391759B7AB5D8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.234{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915155511-015MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.756{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.108{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94,IMPHASH=58B9E3FB550C715872D0FDCF7F80C373trueMicrosoft WindowsValid 734700x8000000000000000348511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.088{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6A,IMPHASH=C910DDFE30DC1006ADAE67F73F17158EtrueMicrosoft WindowsValid 734700x8000000000000000348510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.072{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839,IMPHASH=DC23FFFD2EBC3578D9A77CC0B9DC22C2trueMicrosoft WindowsValid 734700x8000000000000000348509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.072{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6,IMPHASH=228F99E8B005CFF18296089AF6DEA022trueMicrosoft WindowsValid 734700x8000000000000000348508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.019{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=68C7867BEB2A710D14B70D96C4D7DE4E,SHA256=DA093049898D4608579C739B6A63DC98A3FBA57ABDDBFB94C48D2A8335BA0CBD,IMPHASH=02FB3A0617EDCFE43788537F1544278CtrueMicrosoft WindowsValid 10341000x8000000000000000348507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.072{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.019{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=48821439687840212B6457EDD266FA1C,SHA256=F3E9CC2B98D7E0CEBCFCC7906926E839436358437EF10E335CAF7FFAB9E13DC5,IMPHASH=F55036BC63B11DD610F1F8CFD77D76A7trueMicrosoft WindowsValid 734700x8000000000000000348505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.019{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171,IMPHASH=5C77750BF609660A7729B242FA74E98CtrueMicrosoft WindowsValid 734700x8000000000000000348504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.019{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0,IMPHASH=2B9681B9C7B5E00CD2814399F4685385trueMicrosoft WindowsValid 734700x8000000000000000348503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.019{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FB,IMPHASH=BBDB119EC3E50CDEAA84B3E28AC52C3DtrueMicrosoft WindowsValid 734700x8000000000000000348502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.019{6820D070-4E78-6323-4E01-000000007502}2596C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8F6507E78B57C5C15C125EF3904F4A68,SHA256=213845D780A00F05ED859C2B2D257085E7100817F135D3CDB299874D402C0B53,IMPHASH=D569F6E4A4CC77554BFC5FE46045DA9AtrueMicrosoft WindowsValid 354300x8000000000000000190492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:36.401{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49879-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:39.065{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D6CA92613A8F0F42A7B268304314E7B,SHA256=668CC9AAED57C71945E69F38DACF2FB7CAB5399ADD2CE5C8C4AF1286AF95C5E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.894{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.892{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.886{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 354300x8000000000000000348544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.954{6820D070-4AB3-6323-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63542-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000348543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.954{6820D070-4AB3-6323-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63542-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 13241300x8000000000000000348542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:10:39.423{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8c91d-0xb28cc2b2) 10341000x8000000000000000348541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.400{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.393{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.381{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.372{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.357{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.353{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.349{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.347{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 354300x8000000000000000348533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.352{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63541-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000348532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.326{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.271{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.265{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.259{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.250{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.241{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.233{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.222{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.213{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.204{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.196{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.152{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.148{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 734700x8000000000000000348519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.119{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\System32\svchost.exeC:\Windows\System32\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=B7B56FAC395BEEDC20120FD0170A23A3,SHA256=7BDF579D7348D84F251A8411E40E14ADF9406F954914C1C4DE30E880DCF6CEB3,IMPHASH=96416B54C1F2E15EF294753DF1CB4131trueMicrosoft WindowsValid 10341000x8000000000000000348518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.109{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4AB3-6323-0100-000000007502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33585|C:\Windows\system32\lsasrv.dll+3140b|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000348517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.108{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.019{6820D070-4ACF-6323-0B00-000000007502}620824C:\Windows\system32\lsass.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000348515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.014{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDF5755299B55A5EEC575234CDC4F1D7,SHA256=F679691411E2C1384AEEA6CC4B8CE76802DE27F92BB3A75EBD6651668D4415EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:39.006{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:40.271{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258A75E94DC15357D2BE99D83566795C,SHA256=85EFA74FDC86C567547D43479E023C5E7DD2CC7C533B53D8B719421F75C2D031,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000348554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:37.307{6820D070-4E78-6323-4E01-000000007502}2596www.theonionrouter.com0::ffff:10.0.1.16;C:\Temp\agent_tesla-deob.exe 23542300x8000000000000000348553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:40.121{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A3BAFD1E2F04C47DD3DBA7FD05C4B1C,SHA256=BF5E42B45CC90AA2B969E715F6CEBCAF815AD435A624D76EDD49649DA82E2DD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:40.121{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD4AF7819897A3843BFC6C3E849FB04,SHA256=99414DE786A3167D3D5481A5BDB264449B19348804038CEF7F557F4336F04CD2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000348551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.222{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63544-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000348550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.222{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63544-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000348549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.204{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63543-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000348548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.204{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63543-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000190494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:41.462{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5562E6B8ADE068922447A80DBFCAEFE,SHA256=1B6673BDF5504DD7EE06594C89FEB7314F118C9A0FC283CE789873F596E7066C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:41.955{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:41.955{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:41.925{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:41.923{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:41.918{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:41.916{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:41.913{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:41.909{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 354300x8000000000000000348556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:38.573{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x8000000000000000348555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:41.159{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BE440F5B10F4F2564B6159EB1B406B7,SHA256=5EC57AF783B6B24BB8DA9595AA2DCF66B780E73DABC4AA6AAD9585FDEE9023C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:42.761{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97D3DCDB63C4B0A3E8E8702E6FA01DD1,SHA256=A72948082D18139993DC5E65491FD8337321E3A6057030203578B1617BBBD9A9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.572{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.569{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.567{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.565{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.561{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.559{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.556{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.555{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.554{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.552{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.550{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.549{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.547{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.541{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.523{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.517{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.505{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.477{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.470{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.461{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.457{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.456{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.454{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.451{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.449{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.447{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.443{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.442{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.441{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.440{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 23542300x8000000000000000348565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:42.226{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E992686C91510EC3BDAFA7077915D51,SHA256=508F7543C2E13F0A365A376B5EB95E7F049F5F499ED5F1DD268BDD47716D09C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:42.335{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6AE6FAE7D0575B9F45A3D11918317E2D,SHA256=4577C007B44D8977DDF637630ED93E342A3F649412C9E6BF960C314592DF57A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:43.994{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:43.974{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:43.964{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:43.952{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:43.939{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:43.936{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 23542300x8000000000000000190497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:43.848{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD716864593AE3633FB867253CAE52B3,SHA256=05226417CBC2AD2716D7E18E343B933D222EC977E53E6503409BAFCB10E6C5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.424{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=744A7BBD71A97C7B099A1A7BF3B83B9F,SHA256=FCE803540F2CC66C6C2C07CB9466F3B3374A31638E7D013E3DA3902E8CACBF83,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.246{6820D070-4B7F-6323-9900-000000007502}29725752C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.246{6820D070-4B7F-6323-9900-000000007502}29725752C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.246{6820D070-4B7F-6323-9900-000000007502}29725752C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.218{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.218{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.204{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.188{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.167{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.162{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.152{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.147{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.146{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.143{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.140{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.138{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.136{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.135{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.133{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.132{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.131{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.128{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.123{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.116{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.112{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.108{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.102{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.095{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.083{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.081{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.069{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.037{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.032{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.022{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.015{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000190504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:44.001{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000348700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.946{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.946{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.946{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.893{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.877{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.877{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.877{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.877{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.877{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.877{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.874{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.870{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.870{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.863{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll8.0.50727.8745 (WinRel.050727-8700)Dia based SymReaderMicrosoft® Visual Studio® 2005Microsoft Corporationdiasymreader.dllMD5=7D6A7AD508368F8A41E19A593BF8152A,SHA256=9385717A62043C46A22A99893139475ACB44C0096DDE9954C9BDED721F4581A2,IMPHASH=E2ADD10FCF5C120524D6149FB9E129DEtrueMicrosoft CorporationValid 23542300x8000000000000000348686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.678{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5156BD2362E0F77BF8ED4FBAB20723CF,SHA256=BD45671B2A6DE80A9D956EF172AFED679325C9F9B6870ECB6DAE641DDCB2D245,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.663{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationmscorjit.dllMD5=942A0FD4301180517656DF2D7DF45574,SHA256=B9648A085BD060F253D28351E5FED798CE5893B69FA4E221D44C99F460D05936,IMPHASH=458AE5B7483D2B3344CEEB01EB67E386trueMicrosoft CorporationValid 10341000x8000000000000000348684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.647{6820D070-4AD1-6323-1500-000000007502}12201384C:\Windows\system32\svchost.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.647{6820D070-4AD1-6323-1500-000000007502}12201256C:\Windows\system32\svchost.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.647{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x8000000000000000348681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.647{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 10341000x8000000000000000348680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.641{6820D070-4E46-6323-4401-000000007502}51767680C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(0000000010FE048A)|UNKNOWN(0000000010FE0290)|UNKNOWN(000000000AC2F9A8)|UNKNOWN(000000000AC2EC64)|UNKNOWN(000000000AC2E1DD)|UNKNOWN(0000000018C94DB9)|UNKNOWN(0000000018C9488F)|UNKNOWN(00000000096CF8F5)|UNKNOWN(000000000965E1C7)|UNKNOWN(0000000017009CDE)|UNKNOWN(0000000009658165)|UNKNOWN(0000000009657B96)|UNKNOWN(0000000009657AD0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 734700x8000000000000000348679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.625{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.625{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Globalization SupportMicrosoft® .NET FrameworkMicrosoft Corporationculture.dllMD5=22E9113EA0D1D8252314F23BAD16DD36,SHA256=A731E05FCFCE0B9FCF449DFB589A49C09FC63593D61676F5EE3977CBD47C64A9,IMPHASH=104E17C81D918D1C093DA532DC4F4DBEtrueMicrosoft CorporationValid 10341000x8000000000000000348677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.625{6820D070-4E46-6323-4401-000000007502}51766296C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA70FA)|UNKNOWN(000000001B0CFAB2)|UNKNOWN(000000001B0CF286)|UNKNOWN(000000001C3EF715)|UNKNOWN(000000001C3EF637)|UNKNOWN(000000001B29D9E9)|UNKNOWN(000000001B29D841)|UNKNOWN(000000001B29D7F9)|UNKNOWN(000000001B29D69A)|UNKNOWN(000000001B29D4FE)|UNKNOWN(000000001B29D313)|UNKNOWN(000000001B29D1BC)|UNKNOWN(000000001B29C087) 734700x8000000000000000348676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.625{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.625{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.625{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000348673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.625{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000348672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.625{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000348671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.625{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B05DBB473918152F51A7F5A10FE250C7,SHA256=85EA95E8D8B1123288E84E5DC8502584288D67B2C692B118411F37774479498B,IMPHASH=A7A8E1C7D8A348EDDDA81702A2FEC068trueMicrosoft WindowsValid 734700x8000000000000000348670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.625{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x8000000000000000348669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.625{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=65BF71AD92E68AC9BCDFA13C5FF0959D,SHA256=14FDD181EF550EAE500F4B617877BD2DC04827704704A56DCF30446AEEA2882A,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 10341000x8000000000000000348668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.618{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(000000000ABD9240)|UNKNOWN(000000000ABD9008)|UNKNOWN(000000000ABD8EA6)|UNKNOWN(000000000ABD8DEC)|UNKNOWN(000000000AB7057E)|UNKNOWN(000000000AAAFC09)|UNKNOWN(0000000018C9F54B)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5) 10341000x8000000000000000348667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.617{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000ABD9008)|UNKNOWN(000000000ABD8EA6)|UNKNOWN(000000000ABD8DEC)|UNKNOWN(000000000AB7057E)|UNKNOWN(000000000AAAFC09)|UNKNOWN(0000000018C9F54B)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC) 734700x8000000000000000348666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000348665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 10341000x8000000000000000348664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.612{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(000000000AB70D00)|UNKNOWN(000000000AB70A1C)|UNKNOWN(000000000AB704CA)|UNKNOWN(000000000AAAFC09)|UNKNOWN(0000000018C9F54B)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5) 10341000x8000000000000000348663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.612{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000AB70A1C)|UNKNOWN(000000000AB704CA)|UNKNOWN(000000000AAAFC09)|UNKNOWN(0000000018C9F54B)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E) 10341000x8000000000000000348662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.612{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AB70C4A)|UNKNOWN(000000000AB70ADF)|UNKNOWN(000000000AB709EF)|UNKNOWN(000000000AB704CA)|UNKNOWN(000000000AAAFC09)|UNKNOWN(0000000018C9F54B)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000348661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.612{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+15b8f(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+fdd2(wow64)|UNKNOWN(000000000AAA7DFE)|UNKNOWN(000000000AAA6E69)|UNKNOWN(000000000AAA5C1F)|UNKNOWN(000000000AAA5730)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E) 10341000x8000000000000000348660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000AAA6E69)|UNKNOWN(000000000AAA5C1F)|UNKNOWN(000000000AAA5730)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000348659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA70FA)|UNKNOWN(000000000AAA6D52)|UNKNOWN(000000000AAA5C1F)|UNKNOWN(000000000AAA5730)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64) 10341000x8000000000000000348658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E46-6323-4401-000000007502}51767680C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA4B7F)|UNKNOWN(0000000018C94CCC)|UNKNOWN(0000000018C9488F)|UNKNOWN(00000000096CF8F5)|UNKNOWN(000000000965E1C7)|UNKNOWN(0000000017009CDE)|UNKNOWN(0000000009658165)|UNKNOWN(0000000009657B96)|UNKNOWN(0000000009657AD0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|UNKNOWN(000000001B29D69A)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+4660a(wow64) 10341000x8000000000000000348657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E46-6323-4401-000000007502}51767792C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64) 10341000x8000000000000000348656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E46-6323-4401-000000007502}51767792C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000348655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET External Data Access SupportMicrosoft® .NET FrameworkMicrosoft Corporationcordacwks.dllMD5=0ACFE06D73EFBCAFACF72A22F7D79E91,SHA256=525591629E48EC84FE78DBC621AE91536E7039B50593B60AD6B3801B1F91EB5A,IMPHASH=F0FBF635B7EFD828980AA6937580AF82trueMicrosoft CorporationValid 10341000x8000000000000000348654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E46-6323-4401-000000007502}51767792C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000348653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E46-6323-4401-000000007502}51767792C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000348652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_d08e1538442a243e\msvcr80.dll8.00.50727.9268Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMSVCR80.DLLMD5=26A95438C2D0E0C41B73D19400F4C2DB,SHA256=CC97DCB66E3150CD14294D21AD0E10C7472DF45CAF37E49675A70ED406882BE2,IMPHASH=7FECBC4A16A5DC85A5394A1DF6217680trueMicrosoft WindowsValid 734700x8000000000000000348651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationmscorwks.dllMD5=25CEE067AED86FF988C8D31BD7212A21,SHA256=3E0987EFC92F4BCD2798934A70BBEDCADB37899B4F6225279F3685A0DB5BB2F8,IMPHASH=C8D17502D1A38C77CC8770F7291FD333trueMicrosoft CorporationValid 734700x8000000000000000348650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 734700x8000000000000000348648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000348647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000348646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000348645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000348644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=8B516F883167509677B58B9984D8EEA2,SHA256=47F9B88E4038517FC8C5FEB3AC04B21A885EE505143952C96A23FE851869A90E,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000348643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000348642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000348641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=9629C30BA0F10D72FD189FCA987B0E29,SHA256=4DDAF3BB8CE239A8AD41F333AE7D2AD6B7763B9ED8B862695B67F60E5ADE031C,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x8000000000000000348640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6CE01AB1C2063B171AD7432B130FEBBD,SHA256=F554E9818C54F6C760C6E53BAEABCA3F5CAD683C028460307F3D93C7A8B06F02,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000348639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.594{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120,IMPHASH=25F1E57C7A6ED06AAF329CB7B168FA29trueMicrosoft CorporationValid 734700x8000000000000000348638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x8000000000000000348637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000348636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=1B90C58145F4B3C0743C470793469AD6,SHA256=21D752964E10DBB4DFC589856AA808D31E301B93C9E5FF6D1655D32FBD00AF44,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x8000000000000000348635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x8000000000000000348634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000348633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000348632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7,IMPHASH=8B861EA72FDD6FC722328B2746B13380trueMicrosoft WindowsValid 734700x8000000000000000348631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=25ADC994F9AF8716E35487995DDB45CE,SHA256=47B573E7708AAA00F2BE6E8EB7F3CB1B4817E65FACBBB1D772970A8F710DAF61,IMPHASH=6E1D0A92C1917EFBFC1EEA82FA5E155FtrueMicrosoft WindowsValid 734700x8000000000000000348630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000348629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77,IMPHASH=900F88A34CE398C54C9022F5335E8EA9trueMicrosoft WindowsValid 734700x8000000000000000348628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000348627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000348626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000348625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000348624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x8000000000000000348623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=B04953E4C38042AD2628FA49AB42AB5C,SHA256=7B2B4662D3EE0D6DD673C0FEEE4B28E2E16ABF534DF3076497C6B6B40E8BE9C1,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000348622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exeMD5=3C907809BF409DFC1B14320749711692,SHA256=2C23D19BE9D8132A791A3EE3983212BA4CF82ADAB54F87642AF572721BB081AE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 10341000x8000000000000000348621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E46-6323-4401-000000007502}51766156C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+f6f0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+eb46(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a9a1(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000348620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000348615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4E46-6323-4401-000000007502}51766156C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9328(wow64)|C:\Windows\System32\KERNELBASE.dll+d800c(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a871(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a937(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000348614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.579{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exe"C:\Temp\agent_tesla-deob.exe"C:\Temp\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2HighMD5=3C907809BF409DFC1B14320749711692,SHA256=2C23D19BE9D8132A791A3EE3983212BA4CF82ADAB54F87642AF572721BB081AE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000348613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.578{6820D070-4AD1-6323-1000-000000007502}4286492C:\Windows\System32\svchost.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.563{6820D070-4B7F-6323-9900-000000007502}29725752C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.563{6820D070-4B7F-6323-9900-000000007502}29725752C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.563{6820D070-4B7F-6323-9900-000000007502}29725752C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000348609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.525{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC899788753B0D683A3C821DC89D475,SHA256=882C27CF525A22E4F8DEC52F9CAFDA4681B512F392E7147DCC6E19045FE6DE88,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000348608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:41.748{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56717- 354300x8000000000000000348607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:41.748{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56717-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domain 13241300x8000000000000000348606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:10:44.106{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8540D214-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8540D214-0000-0000-0000-100000000000.XML 13241300x8000000000000000348605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:10:44.101{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BDD44E51-425D-47BA-BA16-AF37623148D4\Config SourceDWORD (0x00000001) 13241300x8000000000000000348604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:10:44.101{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BDD44E51-425D-47BA-BA16-AF37623148D4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BDD44E51-425D-47BA-BA16-AF37623148D4.XML 10341000x8000000000000000348603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.084{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.083{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.947{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.947{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000348743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.832{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=47322A301760D02A4AE8612E14E0E5A1,SHA256=821AB9D2D72880B60DF6ADF0C4889FE6236E917088CAF51C694029B13F88D93B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.800{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.795{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.795{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000348739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.616{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0CADC9DD4037D10CC65DEE318E27CF2,SHA256=CCBA08AAEEC89FC40D5D51C7CF4F9351787906873EFF550A81D7496303060673,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:42.408{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49880-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:45.483{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08351AFC4597B69FE0AEFE29EC733763,SHA256=B8C5441B4D6C3529ED74AB6B5BEC8CB21A83267FEBD8B8B598F6EF97CEE09B0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.300{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017009443)|UNKNOWN(00000000170093C9)|UNKNOWN(000000001700933D)|UNKNOWN(0000000017009266)|UNKNOWN(0000000017009172)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 734700x8000000000000000348737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.300{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll2.0.50727.8745 (WinRel.050727-8700)WMINet_Utils.dllMicrosoft® .NET FrameworkMicrosoft CorporationWMINet_Utils.dllMD5=FE3A877218F498F90DD1D097FB770BFA,SHA256=7B7AB5348E3143DB00D0FCE36E5A75867046B5C60FC52DC9E0A166CA2FDF714E,IMPHASH=422758B458E7A457D744549F961156CCtrueMicrosoft CorporationValid 23542300x8000000000000000348736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.255{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47DA856B408562D13DC8D1C04F791FA,SHA256=CD7BED2C5B8A6597488C2D36ABDAA5D5B5E75BC539B40ED8DFA4053C81AEF84D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000348735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.281{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63548-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000348734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.280{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63548-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000348733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.270{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63547-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000348732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.208{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c8f0:65f5:8cc8:ffff-56091-truee000:fc:2202:0:0:2cd8:fa7f:0-5355llmnr 354300x8000000000000000348731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.208{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local56091-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000348730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.207{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local60907- 354300x8000000000000000348729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.205{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50564-false10.0.0.2-53domain 354300x8000000000000000348728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.205{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61999- 734700x8000000000000000348727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.200{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.199{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.199{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.169{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000348723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.167{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000348722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.166{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000348721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.117{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.5246 (rs1_release.220701-1744)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=2A16D108FE99577ABCC08B92F2765971,SHA256=AF5268F39CE35FA3215E8162A0BF4C1949D0F5FB7A284953362ED23507C5697F,IMPHASH=36E120EA05F8714D20693A7DA02D7326trueMicrosoft WindowsValid 10341000x8000000000000000348720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.096{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000348719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.096{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000348718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.096{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000348717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.095{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 10341000x8000000000000000348716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.094{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000348715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.091{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000348714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.091{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000348713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.054{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000348712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.046{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000348711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.037{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000348710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.034{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2F,IMPHASH=844732D10340F10C1E97778BA10CF30EtrueMicrosoft WindowsValid 734700x8000000000000000348709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.033{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000348708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.033{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000348707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.032{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000348706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.032{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 734700x8000000000000000348705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.030{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9,IMPHASH=CAC6B3339C5CAA083E24A4484EE86E29trueMicrosoft WindowsValid 10341000x8000000000000000348704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.027{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.000{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587B,IMPHASH=34AF29CE553D01A9CE643682A40D7CB5trueMicrosoft WindowsValid 734700x8000000000000000348702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.000{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040C,IMPHASH=789B4484C292CAC32E0806DEE3E8734AtrueMicrosoft WindowsValid 734700x8000000000000000348701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:45.000{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6D,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 23542300x8000000000000000348808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:46.920{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2059B5083AFC8CB7D506CCDC424CBEF7,SHA256=71DBEBCA1AD5BA5520A8EDCD7A4ACFDC5A389D0610AA8D712BB4A7A26D800CC8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000348807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.990{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63552-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000348806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.990{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63552-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000348805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.923{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local64705- 354300x8000000000000000348804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.920{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local55769- 354300x8000000000000000348803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.919{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61638- 354300x8000000000000000348802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.918{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local58988- 354300x8000000000000000348801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.917{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local64227- 354300x8000000000000000348800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.916{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local61424- 354300x8000000000000000348799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.915{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local64192- 354300x8000000000000000348798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.915{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64221- 354300x8000000000000000348797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.914{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local56174- 354300x8000000000000000348796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.913{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59978- 354300x8000000000000000348795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.911{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53938- 354300x8000000000000000348794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.908{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64702- 354300x8000000000000000348793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.907{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local58847- 354300x8000000000000000348792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.907{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57859- 354300x8000000000000000348791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.906{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local64618- 354300x8000000000000000348790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.904{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local56453- 354300x8000000000000000348789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.904{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59020- 354300x8000000000000000348788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.903{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local58208- 354300x8000000000000000348787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.902{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57893- 354300x8000000000000000348786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.900{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local54797- 354300x8000000000000000348785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.899{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63438- 354300x8000000000000000348784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.899{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local59277- 354300x8000000000000000348783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.897{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53706- 354300x8000000000000000348782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.896{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local62735- 354300x8000000000000000348781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.895{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53653- 354300x8000000000000000348780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.893{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57822- 354300x8000000000000000348779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.892{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local59966- 354300x8000000000000000348778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.889{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local60069- 354300x8000000000000000348777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.888{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63136- 354300x8000000000000000348776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.887{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local56361- 354300x8000000000000000348775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.886{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local60496- 354300x8000000000000000348774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.885{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53427- 354300x8000000000000000348773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.884{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63089- 354300x8000000000000000348772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.882{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53427- 354300x8000000000000000348771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.882{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local57261- 354300x8000000000000000348770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.881{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local62402- 354300x8000000000000000348769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.881{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local62402-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domain 354300x8000000000000000348768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.880{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63361- 354300x8000000000000000348767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.873{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63551-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49666- 354300x8000000000000000348766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.873{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63551-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local49666- 23542300x8000000000000000190536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:46.566{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660E630C193650D437FAB2AB23602180,SHA256=3526AF581649C2F706F7430041E42D162B3E48124F3ABC445A84BC68B3274F5D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:46.501{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\WinTypes.dll10.0.14393.5192 (rs1_release.220610-1622)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=C3EAC9E7B604696B078D4275571F58EC,SHA256=8A1F5F88F70C1BD511AE7D0E03D6ABAE1778D59D10041D17B562FE9190559A0A,IMPHASH=E5E8B16505186AC32311EE602EA3C845trueMicrosoft WindowsValid 734700x8000000000000000348764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:46.501{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\vaultcli.dll10.0.14393.5066 (rs1_release.220401-1841)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=0F9CC4F83FDD30CA09546038D0C1500F,SHA256=754954935A1BB01C0695252B16EDF251F7FF2D66BFB00450CF038D0AA079B844,IMPHASH=8721D7F174531C1C4F8942462C87C899trueMicrosoft WindowsValid 734700x8000000000000000348763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:46.480{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:46.480{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:46.480{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:46.380{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shfolder.dll10.0.14393.0 (rs1_release.160715-1616)Shell Folder ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationshfolder.dllMD5=83D8A4E04F99C5FD749D34CC4B970A0E,SHA256=0924F96973B3CE4F15BB7947E6C593B3EA1015E459BF70C3A247A31632EF2ACA,IMPHASH=A262E121DDB8823B3F2D530403B9D7E9trueMicrosoft WindowsValid 10341000x8000000000000000348759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:46.364{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:46.364{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:46.332{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017009443)|UNKNOWN(00000000170093C9)|UNKNOWN(000000001700933D)|UNKNOWN(0000000017009266)|UNKNOWN(0000000017009172)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 354300x8000000000000000348756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.155{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63536- 354300x8000000000000000348755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.154{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63281- 354300x8000000000000000348754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.143{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63550-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000348753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.143{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63550-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000348752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.038{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53777- 354300x8000000000000000348751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.036{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63549-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000348750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:44.036{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63549-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000348749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.307{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:c8f0:65f5:8cc8:ffff-61604-truee000:fc:2202:0:0:2cd8:fa7f:0-5355llmnr 354300x8000000000000000348748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.307{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMudptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local61604-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x8000000000000000348747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.307{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local55786- 354300x8000000000000000348746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:43.306{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local54387-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domain 23542300x8000000000000000190537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:47.660{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC1E37B17B505D3CACDFD461DF7694F2,SHA256=61A731F2A6FB0F57B5923687D92F2DF1CA713C9E0DC91179653FCD00A16E03A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:47.217{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=7556C0BEFA859B4CAB1C9D939F27B741,SHA256=ACA817FB86877E4A655FC0C006E351B03FA794139F9874D5F73BBAC95033BE5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:48.742{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE05B01DCE4CD964921ACEB6DFF0F915,SHA256=6A9D3100784DA00B99DD3DBAA020FDBA51126D483AF721BA2032B608B1283CE6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:48.909{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:48.909{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:48.893{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 23542300x8000000000000000348810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:48.332{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CD339EBB95E8D42F58BFFBB20572719,SHA256=2DF487B5518D81B1ED3F020F849965657E56BA52F5DAB4D06E21773E98E652F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:49.840{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8AEA2736574B3CB833BCEFEB7AFED87,SHA256=CC3B599913349D2C0DFEB6435209DA0AEBAADDA74E1EBF1EAC91EDBB1CF6D28E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.362{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59A810CCC166CBB9080EB0DC7EDA8488,SHA256=B15B89E196F72A59897ADDD1A4255304645B0661AE9CA9B4D5F11045B1B7B10F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.246{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94,IMPHASH=58B9E3FB550C715872D0FDCF7F80C373trueMicrosoft WindowsValid 734700x8000000000000000348828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.246{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6A,IMPHASH=C910DDFE30DC1006ADAE67F73F17158EtrueMicrosoft WindowsValid 734700x8000000000000000348827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.230{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839,IMPHASH=DC23FFFD2EBC3578D9A77CC0B9DC22C2trueMicrosoft WindowsValid 10341000x8000000000000000348826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.230{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.230{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6,IMPHASH=228F99E8B005CFF18296089AF6DEA022trueMicrosoft WindowsValid 734700x8000000000000000348824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.169{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=68C7867BEB2A710D14B70D96C4D7DE4E,SHA256=DA093049898D4608579C739B6A63DC98A3FBA57ABDDBFB94C48D2A8335BA0CBD,IMPHASH=02FB3A0617EDCFE43788537F1544278CtrueMicrosoft WindowsValid 734700x8000000000000000348823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.169{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=48821439687840212B6457EDD266FA1C,SHA256=F3E9CC2B98D7E0CEBCFCC7906926E839436358437EF10E335CAF7FFAB9E13DC5,IMPHASH=F55036BC63B11DD610F1F8CFD77D76A7trueMicrosoft WindowsValid 734700x8000000000000000348822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.169{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171,IMPHASH=5C77750BF609660A7729B242FA74E98CtrueMicrosoft WindowsValid 734700x8000000000000000348821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.169{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0,IMPHASH=2B9681B9C7B5E00CD2814399F4685385trueMicrosoft WindowsValid 734700x8000000000000000348820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.169{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FB,IMPHASH=BBDB119EC3E50CDEAA84B3E28AC52C3DtrueMicrosoft WindowsValid 734700x8000000000000000348819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.169{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8F6507E78B57C5C15C125EF3904F4A68,SHA256=213845D780A00F05ED859C2B2D257085E7100817F135D3CDB299874D402C0B53,IMPHASH=D569F6E4A4CC77554BFC5FE46045DA9AtrueMicrosoft WindowsValid 10341000x8000000000000000348818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.112{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000348817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.082{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4,IMPHASH=3BCAD7DA03A0242A2A34491F77EA8067trueMicrosoft WindowsValid 734700x8000000000000000348816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.077{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rtutils.dll10.0.14393.4825 (rs1_release.211202-1611)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=AFD803265386C9791F6A26C98A52B1E4,SHA256=F7D8E4CCD3E32B9F3937C93940F0D6C5D453FB77C5E2E66C14B50C354FF934FF,IMPHASH=CA2D0A2353175BFD399FB5381901EA00trueMicrosoft WindowsValid 734700x8000000000000000348815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.061{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rasman.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access Connection ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRasman.dllMD5=5FA2F260361FC794573481F9EC54B03F,SHA256=58EE3CD71D7C6E004F4F99655C4BA715DF3A1F0305A2EC08F8662739AE5D97DB,IMPHASH=8B20BEBDEB3F8196B52FC66611947B06trueMicrosoft WindowsValid 734700x8000000000000000348814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:49.061{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rasapi32.dll10.0.14393.4283 (rs1_release.210303-1802)Remote Access APIMicrosoft® Windows® Operating SystemMicrosoft Corporationrasapi32.dllMD5=AF871935624629AA6B8DE455E8FB6487,SHA256=1C68A46D61720D2ACE4B1A31AF289CA50FF0FF00120401D209630A8AE970C98A,IMPHASH=79522D6413DA1768058547C716FAB849trueMicrosoft WindowsValid 23542300x8000000000000000348833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:50.832{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=C2FE0F2347B4C7EAECAC2957E69D4494,SHA256=530356B46E29F43CED83203523E3AAE20C6C7A20E017EF5A4067125BFB150AB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:50.472{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=954B4458558563474905E540B1AF2B43,SHA256=C1944D6DB4711261CB3CA3AAF84262A096FC0D196BFE04F07D73B9350A652743,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000348831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:48.340{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63553-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000190540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:48.290{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49881-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000348835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:51.448{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66A3F1F888001B8F21020ED107FB20F1,SHA256=F35AA81B3E412787D0512EF5E7395E72439AD52C030293432C106A204D91AE95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:51.165{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=018D3AFE217F49280B497CAC5831BB04,SHA256=BBEF83D1785D55158DB964BC3150A216D545039043E5246EF8EE753DBA86B3EC,IMPHASH=00000000000000000000000000000000falsetrue 22542200x8000000000000000348834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:48.458{6820D070-4E84-6323-4F01-000000007502}6696www.theonionrouter.com0::ffff:10.0.1.16;C:\Temp\agent_tesla-deob.exe 734700x8000000000000000348846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:52.864{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=7294744A8618ADCFB97F6CC9B06781BF,SHA256=9CBA204AECE064C4E8AA5C1E8D7C17EA054A47B315D8CEEFA1C206395E5E32D7,IMPHASH=5CB0004DB7090241A0C06F1853D02144trueMicrosoft WindowsValid 734700x8000000000000000348845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:52.812{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.5127_none_f67513fcf253b94f\GdiPlus.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=6EDB43C233D76CB312D42C21716962E5,SHA256=19DD51B9B6B8371291C41DFD76B69995953A062A1701EEF302CE44C68599171A,IMPHASH=7693D57C38FF80D4013B00CECB7C64E3trueMicrosoft WindowsValid 734700x8000000000000000348844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:52.784{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=AC951CC1306C73767A05F04BFC916CD8,SHA256=5FE28B70168433EF1C6DDE3CB1BE43A1A614508C37BC9C32F2051E5BA341C6C3,IMPHASH=EF37C47ACC74D5DC3737EEE137193A8DtrueMicrosoft WindowsValid 23542300x8000000000000000348843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:52.533{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21CF620A46BD13C0CC6785CBFE5E9C48,SHA256=0E0F1710B00A50C1202D69D260E338500C5A40072EE463E93F3160C06D26B993,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:52.496{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationAccessibility.dllMD5=B2E013306A84513CA912FF6DE4F53C4F,SHA256=AB56D0A7507FBBB187D165BAA5046F210D14D18FCDBCFE494EF7794843917F97,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:52.496{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationAccessibility.dllMD5=B2E013306A84513CA912FF6DE4F53C4F,SHA256=AB56D0A7507FBBB187D165BAA5046F210D14D18FCDBCFE494EF7794843917F97,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:52.496{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationAccessibility.dllMD5=B2E013306A84513CA912FF6DE4F53C4F,SHA256=AB56D0A7507FBBB187D165BAA5046F210D14D18FCDBCFE494EF7794843917F97,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:52.496{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85,IMPHASH=60EA58ED63BD25EC1709F72F112B0086trueMicrosoft WindowsValid 734700x8000000000000000348838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:52.449{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=10E731CD4FE19798054F2D564012364F,SHA256=F23C4888571741A8528631F72F21F061F936626F11CC43FB851DC1A2D73B2E9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:52.449{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=10E731CD4FE19798054F2D564012364F,SHA256=F23C4888571741A8528631F72F21F061F936626F11CC43FB851DC1A2D73B2E9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000348836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:52.449{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=10E731CD4FE19798054F2D564012364F,SHA256=F23C4888571741A8528631F72F21F061F936626F11CC43FB851DC1A2D73B2E9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 23542300x8000000000000000190542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:52.255{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BEBD399E639B8FAE152C0638D2D2DC,SHA256=14F61358002392A1C3FA8E804A15C2F71DA9A8AF621971D74A1FB00AF1FA561F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:53.717{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C844F36AFD05F31CAC2460676D69336A,SHA256=A9B502AE3B0A5CE6A25C30C4E9F3B5ED4027ADB39EC1F07CC275A9E885ABC555,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:53.337{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3DE23CBF695950E744A94A3B5661695,SHA256=AF337271ADC002832C6D0F0E68BA5693B8BD83821C3344B060F7DFD7AFF07190,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000348848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:53.587{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Globalization.dll6.0.21.52210System.GlobalizationMicrosoft® .NETMicrosoft CorporationSystem.Globalization.dllMD5=900E19E7572F498E5ED88BB715EB51FB,SHA256=F66F76520039212A416F8C02D2DFBA902D87DF14DDFC8C68C21A59A3C79F271A,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrue.NETValid 734700x8000000000000000348847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:53.579{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Users\Administrator\Downloads\bin\System.Threading.Tasks.Parallel.dll6.0.21.52210System.Threading.Tasks.ParallelMicrosoft® .NETMicrosoft CorporationSystem.Threading.Tasks.Parallel.dllMD5=0AD164DC14A4CF9D0CBDA901A89350EB,SHA256=6520F1138660EFBDAE111D2FEACF6907B8AF41654ECAF1DC201116E8829C864F,IMPHASH=00000000000000000000000000000000true.NETValid 23542300x8000000000000000348850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:54.784{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC2479BA2E54CB876703AC140C636D1,SHA256=E4C081ACEF5A612E96F92FCE993F8D05E49B0991A73A268F7C5C42452548E084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:54.514{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73F4238448755F2E77B5E93D8700BB5C,SHA256=5672D7C7444AB1FC0B14441A1537107555460DB3B2A6097D7ACFEE9B618CB43B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:55.922{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4102523866866B0DD36B48AA8B7339D4,SHA256=7FB39C82ACD8722079B62B52F9530145154D6F43565571B743E1E6B1FB25E19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:55.853{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=A3197BFA9A66CD9482DF1BD402044EC1,SHA256=8E3AE362E616FFD07A12ECC4AB668F5D684AB1F9FEAA97B994742260D5DF7D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:55.597{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C27B04C03729F8D9EE6FC58F55563A,SHA256=A5E3B64E84AF195EF2D518DD69A1039FDD1F0821D84A69198157EB49C56117FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:54.300{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49882-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:56.766{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E1B416769AC9598CAD8C76F8C5385E,SHA256=5A1ACB1220CA0091B7E34A002FED10B9DA12E27219691A30AD97FCDC2AA92415,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:56.923{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A23AA7DB5179D264B7711D99BC6C41,SHA256=699D718E34C4FF004F932BEC062EA8B611214B255D3F9A9EE98FEA32F41CC18A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000348853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:54.233{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63557-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:57.852{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE96D19747E0F748C454342E2608827D,SHA256=E2EC982FC61ACE364FFD91F590EB5AAEC17CA4F59FDBAE42FD0A36D2B4954860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:57.382{E743DC12-4AD0-6323-1100-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=86B1B3758CB19B4EFD275F41114DDFDB,SHA256=E2BE743527FB7126BC4FB87C8CDC25502EAB1E01230AF54673701CED06F62CFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:57.586{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=809AB1259E0B370AE8944EC43E420050,SHA256=B70C89E65AC3D5FDC2D0067BDA91724AF34254341D57D725ED483EEA737A5400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:58.952{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7AEF61A15D3C83EF9764999ECF5933,SHA256=A9C83C91C57DBCEF765A52F70656F1714B2ED50B880664408C87EAFEBD1E39B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:58.803{6820D070-4AD1-6323-1100-000000007502}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0DBEE15D27AE3A2A9956A54FB072F980,SHA256=E68A61A8DEACDABEA228F32720B9D35FB5F2FDE071965796B803A500FE2C06CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:58.039{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87812D03DF896B13A9E2F2CD95F4D4FC,SHA256=FB0F7D110B15FB4A0D3B4D48FF7D8CDD429BDA39843EE21F9ED127D14569F16E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.964{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.962{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.958{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.589{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.575{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.554{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.514{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.494{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.491{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.489{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.487{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.475{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.404{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.371{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.356{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.334{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.312{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.301{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.279{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.266{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.256{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 11241100x8000000000000000348867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.253{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\AlternateServices-1.txt2022-09-15 16:10:59.251 23542300x8000000000000000348866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.253{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\AlternateServices-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000348865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.251{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\AlternateServices-1.txt2022-09-15 16:10:59.251 10341000x8000000000000000348864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.240{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 11241100x8000000000000000348863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.195{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 16:10:59.193 23542300x8000000000000000348862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.195{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000348861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.193{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 16:10:59.193 10341000x8000000000000000348860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.157{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.154{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 23542300x8000000000000000348858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.142{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48BA87D1FE38FEA6A3DB0560B747A3E0,SHA256=C8FF0788F0CDDFCB07EAF9050A9856B67DFA87EA225220A3069FC6245A216110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:00.047{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6947BE09B9F99D406C9969015C6E1766,SHA256=A397CEE6294999FBD6FD5D8B1D953283A50943A9114E7C67CE910B8D393ED675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:00.889{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=DC4893EDD792A7AE1B52BD4BF3D9B5BD,SHA256=3BD52AE32A1CF7D0B702A3FE8213AF3B0EB23B5C08C1DE5F1D71DF3078FD125D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:00.423{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E1507A111C92F31B917A3F48EABC1F,SHA256=AB3A8F035535BB76B0654C346689CA43ED5635D8C74D4287C12C1E58FFD8C0C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000348893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:59.252{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63559-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000348892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:10:58.891{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63558-false34.117.237.239239.237.117.34.bc.googleusercontent.com443https 23542300x8000000000000000348891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:01.479{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD5F4023A1DC274C864785F108D39EA6,SHA256=0375DE9B2CBD8C7D5E260EDCB979B8BB15F51C16A690CEA3FF93D7DF4584124D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:01.138{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3843D50481868CCE112DAC9A82F3AA40,SHA256=1ACAC25071B6486E223E8ED4434F2A6A3FEAE830BAB9477F64BC59ECEB940269,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.746{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.732{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.729{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.727{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.724{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.722{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.719{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.716{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.714{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.712{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.709{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.706{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.696{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.678{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.672{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.654{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.602{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.593{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.574{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.564{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.559{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.555{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.550{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.547{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.542{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.536{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.535{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.529{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.529{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 23542300x8000000000000000348900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.513{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDD903DDCEDF60BBFED8BA7A7D6586DD,SHA256=9AF15686A3F1E9BFAE6E3BD5BB729A2BE5F5CC513CA666EF0CD437080DF82335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:02.207{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62EEBAA24218B5D8F6A79276FD18CDC2,SHA256=F254B0E90149F1AF1D2367D0C853D4665519E429F2BC783A60FE264F28440E10,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.021{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.020{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.016{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.013{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.009{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000348894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:02.006{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 354300x8000000000000000190553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:10:59.380{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49883-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000348930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:03.607{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=818B50645451550D5B30505761582E69,SHA256=90AF0B464DAFA0686EC4177BC1F8308F460F617DF8A046D0342594E1E3A5B959,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:03.990{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:03.985{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:03.977{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:03.960{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:03.951{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:03.941{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:03.939{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000190555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:03.289{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4281651649FB9B5B0B0605535EDD83C,SHA256=19C26BBC1CA45B598EBE2773A5EE25C18CCBAF0A85E7DF3B49E42C4266750A02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:04.692{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5B96CC70DCE791083CD3845A9FB7412,SHA256=5FF8A2ACD2E0C773667804AACBBA596C5FBA3A00C13588BD7DB2E5D5C34C9393,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:04.692{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\qyyifi8m.default-release\cache2\doomed\5982MD5=6DC81BEFD35EB97A73185319914C6CEF,SHA256=7083ED345970BEEA38CEF56A14AF6A926AB21B5A47916EE2D44B89E19692290F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.512{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F8787323E45F3D099BBEB470A2E7C4,SHA256=D299803E1944B356F0B058F7922B6ECD0FB568E8B9242292C1ED4B247A24BDE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.177{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.168{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.155{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.150{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.142{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.135{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.127{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.124{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.122{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.119{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.116{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.115{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.113{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.112{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.110{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.108{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.103{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.098{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.092{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.088{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.077{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.069{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.056{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.054{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.046{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.026{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.021{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.014{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.007{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000348933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:05.792{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9AFB9F6E08CCDCC1F73DC55BC32C152,SHA256=2A9A6BFDF1AC3D053469A610DA531C9FF3A272A019DCAEC6F4CC7BE1E59A7307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:05.533{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79B41B91CA005DF647D88898985B1BCE,SHA256=FAA1E524AE4E3956E3976B6D29F6D6546D0ED7B8C8BF9BDED8E6F762ED673774,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:06.896{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E713F4589ED1C7677E01BCB366DAE63,SHA256=E6284AE71794E7B93AC26B504F83AF391CBB1BEC51210F63288B46F7079209EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:06.601{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CF87E85DD02B5D9AC238FFBF6D4DE64,SHA256=E262F5BF79C62F05D0D98FAD065CE7A05640A128BEB59135853C65AB4D9EB81B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000348934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:04.439{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63560-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000190597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:06.301{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:06.301{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:06.301{E743DC12-4ACF-6323-0B00-000000007602}628668C:\Windows\system32\lsass.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:06.288{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1D00-000000007602}1944C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000348936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:07.983{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7C2A495197964CA1EB1500125F6087,SHA256=E287B52C9128D4B32165862A133B6D091C1EDE34A57476ABE556EF401576EF6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:07.692{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A24577F7C0BEB661B12D8B806C13651,SHA256=31718CCB265B438099C0F2A1746CDFB6FF2D16414CC1829330C4CF2C2B88AEE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:07.645{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E9B-6323-FA00-000000007602}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:07.645{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:07.645{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:07.645{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:07.645{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:07.645{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4E9B-6323-FA00-000000007602}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:07.645{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E9B-6323-FA00-000000007602}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:07.646{E743DC12-4E9B-6323-FA00-000000007602}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000190599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:04.491{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49884-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000190627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.976{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E9C-6323-FC00-000000007602}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.976{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.976{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.976{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.976{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.976{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4E9C-6323-FC00-000000007602}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.976{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E9C-6323-FC00-000000007602}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.977{E743DC12-4E9C-6323-FC00-000000007602}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.945{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0251443D2968CCCD9E876FE4231A241,SHA256=95FF19960AACBB17AED884A714C5B74621AA552CBF3A4C0AB78D825989FC21F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.773{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CBD182E0904FF4118CB376AC5830226,SHA256=2819D0E0D17CFF880123846C05277F59DFE048A4E82D9B359E173E28B654F975,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.486{E743DC12-4E9C-6323-FB00-000000007602}24764796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.313{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E9C-6323-FB00-000000007602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.313{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.313{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.313{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.313{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4E9C-6323-FB00-000000007602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.313{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.313{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E9C-6323-FB00-000000007602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:08.313{E743DC12-4E9C-6323-FB00-000000007602}2476C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.841{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DEAE501F5BE90752CF347CAAAB896C9,SHA256=7E892C1E5FC2A7C8999781A0CB95A5241C1E2A7D61F14FCC3FA021D5D1379FFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.810{E743DC12-4E9D-6323-FD00-000000007602}48801612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.653{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E9D-6323-FD00-000000007602}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.653{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.653{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.653{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.653{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.653{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4E9D-6323-FD00-000000007602}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.653{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E9D-6323-FD00-000000007602}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.654{E743DC12-4E9D-6323-FD00-000000007602}4880C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.109{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=5DC51F2F2A4ED97F99A3B1A45015BD3A,SHA256=02D02B6761D23A04CBEA6997CE4F2E2EBA40B2B88E9F26BBCDBA9C703F23E462,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.080{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E9C-6323-FC00-000000007602}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.080{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E9C-6323-FC00-000000007602}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.080{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E9C-6323-FC00-000000007602}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.079{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E9C-6323-FC00-000000007602}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.079{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E9C-6323-FC00-000000007602}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:09.079{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4E9C-6323-FC00-000000007602}4812C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 23542300x8000000000000000348937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:09.065{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9CA298A86BCBA92D16873801058FEE,SHA256=BE26E68140336F859094E721CF85ED0EDA869FF47599A648BAB3DC3291C64C22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.952{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E9E-6323-FF00-000000007602}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.952{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.952{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.952{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.952{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.952{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4E9E-6323-FF00-000000007602}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.952{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E9E-6323-FF00-000000007602}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.953{E743DC12-4E9E-6323-FF00-000000007602}4944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.445{E743DC12-4E9E-6323-FE00-000000007602}18084392C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.273{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E9E-6323-FE00-000000007602}1808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.273{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.273{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.273{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.273{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.273{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4E9E-6323-FE00-000000007602}1808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.273{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E9E-6323-FE00-000000007602}1808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.276{E743DC12-4E9E-6323-FE00-000000007602}1808C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000348938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:10.135{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C8CBE7CC33C8F902E80FC143368BDFA,SHA256=085BCDF0B843029AA0EA4DF4D68CEC396E0B823CF1EDC29B4D2521F7F9CC1072,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:11.717{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5A41DECB265131728DAD39F8D4838F77,SHA256=C8ECB20DA5C03BF71DAA5C273B228CB33C08C23CB4FB98B93A04CA0F84918B53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:11.623{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4E9F-6323-0001-000000007602}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:11.623{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:11.623{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:11.623{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:11.623{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:11.623{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4E9F-6323-0001-000000007602}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:11.623{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4E9F-6323-0001-000000007602}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:11.624{E743DC12-4E9F-6323-0001-000000007602}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:11.190{E743DC12-4E9E-6323-FF00-000000007602}49444412C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:11.046{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0F7E855126CD5E54B47563EABB083E5,SHA256=B38AA527B0BDF63010790859E647059B9AD05B5FB694D3C726AED682F9A7BA55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:11.836{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:11.836{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=8A750B8E3464EF5FE44B161076A865F3,SHA256=2B2315CE6293A553A78D7B4C159F0164B0A47F28230BC4D82CF77D8359719E4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:11.236{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3D4B740E7ABC759187C0C66A96ED63,SHA256=72569FFF5D4ECA6D1C73F5C72E2B9A70849F545C86BFAB84B65CF7854B6CCDE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:11.088{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:11.088{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000348944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:12.337{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247CC4D3B30282C603ADC2585EC21962,SHA256=75F9A396C43A74CE78DD91396298020CCE2DFC320B73EE0F5CC34B62CB1CB7FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:12.139{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6E33428D0696706F792D7C114603626,SHA256=23D5B2AD7211452CB44D6FD96CAC3131BAB83DEFFA67C7F6127541B523A8FCA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:13.453{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=425B9EE4D3801758D4292E5E9B70D485,SHA256=EA776EA7F8ED7B7226C95D2C92E95E05B4D7870FBD14BEC68AC0547A41955451,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:10.491{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49885-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:13.323{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80A807186E474D8D9D26E37239545345,SHA256=DB258DC85E4EB8844F7644E31A923F548173CA25D3A4931F02D5F62E8B15F681,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000348945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:10.409{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63561-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000348947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:14.559{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E5E19A14B4106B30C79DED71E5E2BE2,SHA256=090EC004D8AE6BA95911440D509C7B2B6C56C1947B3DEF97B04CD8A09578BDFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:14.407{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778C6BF62E96754A1A95CED4F73F36EC,SHA256=91562129BC2A778136418E246F4BF50579C493E6D2F275DC2449AD644663AEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:15.671{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1A975E0CA75B99DD2DA0E35D1C7076D,SHA256=37EEA8795085949B16B3F4C7D5C2F7B15144584831FC0E0DF42D345C0270B27F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:15.612{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=595466CD33EEF433F417F0B5AAAA9607,SHA256=4101053DD46FA14FDBA6E33ECD30814F72055CDBFCA95E500759FF9A736C4C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:16.740{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45B8550797854CCBD7E99AB93DF5AF8,SHA256=4F44700439118639E8CC9322AFD0DD480F339E86B210DE5384BE946469AAA062,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:16.706{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B863F9C2D63BE3A01E69860BEEB20633,SHA256=09842419830FA4D3F18DD058CFE5AACEBCB1B3B47783034C3987FCAB589A8681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:17.795{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F8158F8A3FD5338C0A5DE8DD500C737,SHA256=685F478EC865901D704FAE98663DB8916401EE932C4DD9390ACD7375DFA7137D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:17.856{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B19CB85A9BF17D9191CB697990E45334,SHA256=BCD0D826A8388ED16820118159D2560A3A62942E9807976C598B458C3FA7A0CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:18.874{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49BCC76011FD100BBA7DB5856C844790,SHA256=AC269B7CA57F3C971AD940118C7C70E505B84EAEB187F7E533C57AA072BAB91D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000348951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:18.891{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DF8127C25CB89229F467161765B468E,SHA256=2FD8F2C21EF61B41015B215F32DCC511C3A1BA708766F5BBD24609BC04754D66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:16.336{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49886-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:19.962{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84F40B1D786D448081A8032F67ACAE9F,SHA256=E38EF5136BE251561BF1F8E9397550037F5BD22ED83950A6F30266A8E1425825,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.839{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.837{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.833{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 354300x8000000000000000348975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:16.918{6820D070-4AB3-6323-0100-000000007502}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local138netbios-dgm 354300x8000000000000000348974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:16.918{6820D070-4AB3-6323-0100-000000007502}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 354300x8000000000000000348973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:16.285{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63562-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000348972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.387{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.380{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.373{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.363{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.354{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.351{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.349{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.347{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.337{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.310{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.302{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.290{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.280{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.271{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.263{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.247{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.239{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.221{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.211{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.162{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:19.153{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 23542300x8000000000000000190683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:20.741{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:20.402{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:20.402{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000348979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:20.106{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60D58309579DAB2021D1AEC2329BB07C,SHA256=F43421DFED57FFD596FD2A47B8426F88FC1620A3981E7547E1D06D93981E1994,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.874{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.874{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.869{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.867{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.863{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.860{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 734700x8000000000000000348991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.625{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000348990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.625{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000348989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.624{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000348988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.618{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000348987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.618{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000348986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.618{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000348985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.617{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.604{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000348983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.604{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000348982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.178{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6EA2797E66F7BA59D3B8BA25548A75,SHA256=99480BC13C96664F18895AF02F3421E0BC42D6B470B13064E8311BB355DD951B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:21.053{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70BBD0CE98BC19F17F58A00D96EAE979,SHA256=6609109171EAAC9C548E629944B41F169E63F4D4C2848EB69B28BFA9734F3EB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.636{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.624{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.620{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.618{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.615{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.613{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.609{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.606{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.605{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.602{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.598{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.596{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.589{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.570{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.548{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.514{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.461{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.453{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.434{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.428{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.426{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.424{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.419{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.416{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.412{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.402{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.401{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 23542300x8000000000000000349000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.401{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57747B1C291C9EBE1F0D0F1019A1DADE,SHA256=7C94E975C8452AD1D166870036333B3B2EA7A6E751CACC1FBCC8850D8B5FDD0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000348999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.394{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000348998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:22.394{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 23542300x8000000000000000190687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:22.994{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915155459-015MD5=36EB26F9EED14D2A649109B5B0D3FC1A,SHA256=D5225DBB467937E991D5678F78067E4612BF477D9EC2143F1C43E71004CE921E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:19.963{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49887-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000190685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:22.266{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD8A6C3027444D1D85153DE81BF0C538,SHA256=A1D514F70057E82CE629D0035F957E3161AAF632D51D1ECFE8EFF21FB25B90C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.928{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=389E334CE6B7BD49CAAF8CFD02AA6FF1,SHA256=D1E0B78153D5AD3C68AB0AD06F398A29738846CA9F70AC22862D9AEC60CEFB3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:23.995{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915155457-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:23.988{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:23.963{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:23.957{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:23.951{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:23.944{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:23.936{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:23.927{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:23.924{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 23542300x8000000000000000190688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:23.466{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D488366526E98E096C7A9B0B345575D8,SHA256=B09E130E6017D81E1DE7EC36B0261732D4783A15ED94D4883A24D6410E204066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.879{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000349085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.791{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000349084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.776{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000349083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.776{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000349082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.678{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000349081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.678{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000349080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.678{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000349079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.677{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000349078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.677{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000349077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.677{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 354300x8000000000000000349076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:21.442{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63563-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000349075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000349074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000349072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000349071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.563{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000349070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.563{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000349069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.563{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000349068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.563{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000349067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000349066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.563{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000349065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.563{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000349064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.563{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000349063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.563{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000349062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000349061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000349060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000349059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000349058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000349057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000349056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000349055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000349054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000349053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000349052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000349051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000349050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000349049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000349048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000349047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000349046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000349045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000349044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000349043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000349042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000349041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000349040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000349039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000349038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000349036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000349034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000349030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.547{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.548{6820D070-4EAB-6323-5001-000000007502}7180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000349194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.912{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000349193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.912{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000349192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.912{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000349191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.912{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000349190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.912{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000349189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.912{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000349188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.912{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000349187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.912{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000349186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000349185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000349184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000349183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000349182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000349181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000349180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000349179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000349178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000349177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000349176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000349175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000349174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000349173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000349172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 354300x8000000000000000190726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:22.260{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49888-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000349171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000349170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000349169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000349168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000349167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000349165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000349164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000349163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000349162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000349161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000349160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000349159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000349158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000349157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000349156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000349155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000349154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000349152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000349151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000349149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000349144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.896{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000349142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.627{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E0FCE0423489F29F505BDDA3767CB0,SHA256=FC862C0478FED3E83B2A108F1AC86D9C628DC43B077F77CDB6C0E498FF3E1228,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.595{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=98EEB6BADD254E2DE5E19AEF300811E4,SHA256=00B142ED8567D3371EB8F69BB7432965BDB288E2E5DD8271D5C4A8B7842FBA53,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000349140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.433{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000349139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.433{6820D070-4EAC-6323-5101-000000007502}96329636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.433{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000349137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.433{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000349136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.248{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000349135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000349134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000349133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000349132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000349131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000349130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000349129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000349128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000349127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.248{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000349126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.248{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000349125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.248{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000349124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.248{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000349123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.248{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000349122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.248{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000349121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.248{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000349120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000349119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000349118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000349117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000349116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000349115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000349114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000349112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000349111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000349110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000349109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000349108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000349107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000349106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000349105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000349104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000349103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000349102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000349101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.233{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000349099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.228{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000349098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.228{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.228{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000349096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.228{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.228{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.228{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.228{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000349092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.228{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.228{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.229{6820D070-4EAC-6323-5101-000000007502}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000349089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.028{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E40903D56EB54CBC61C381C89DE7842D,SHA256=DA38AAF68DA015251EE56BFD01764595F5973CBA8F2951EB166FD806E5654260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:24.012{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=381FD35EF0C4C9BAFA25A146AAE8F8F5,SHA256=51DB0C6D5A62F3EB3BF2F5367F1F5DA237F759E60D4C2BE5458B590113C63006,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.174{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.165{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.150{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.146{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.137{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.134{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.132{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.130{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.127{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.124{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.119{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.118{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.114{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.113{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.112{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.111{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.108{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.104{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.101{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.098{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.093{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.085{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.065{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.063{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.050{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.013{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:24.008{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 10341000x8000000000000000190698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:23.999{E743DC12-4AD0-6323-1D00-000000007602}19442908C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013180610) 734700x8000000000000000349251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.774{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000349250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.774{6820D070-4EAD-6323-5301-000000007502}97089696C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.766{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000349248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.765{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000349247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.708{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3FDA01776BC610F072BAAB1ECDD0E07,SHA256=5C67C128ABD236E99511EDAC7087789A7F78FC7FE61FF7507F8AF6B0855FFEE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:25.646{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF63F74FB05AD1E7BEE23E4629C5649E,SHA256=30E3A78BEF3DD0F716014D5D72092EFAC8103FB8CC911954B6A7A9D95AC2365B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000349246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.580{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000349245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.580{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000349244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.580{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000349243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.580{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000349242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.580{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000349241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.580{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000349240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.580{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000349239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.580{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000349238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000349237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000349236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000349235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000349234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000349233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000349232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000349231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000349230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000349228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000349227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000349226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000349225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000349224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000349223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000349222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000349221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000349220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000349219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000349218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000349217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000349216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000349215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000349214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000349213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000349212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000349211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000349210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000349208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000349207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000349205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000349200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.564{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.565{6820D070-4EAD-6323-5301-000000007502}9708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000349198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:23.057{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63564-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 734700x8000000000000000349197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.112{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000349196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.112{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000349195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.112{6820D070-4EAC-6323-5201-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000190727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:25.093{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=938D9F92FCBD80BE7BD0B5CA7DD26E5F,SHA256=5664FD2B546C718795FB69377A014535B1CA706E7E31CF37D7DB7E7EB7EBA1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:26.729{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD8BC920A7F26C5A877E32FEB8D7F555,SHA256=AD878302E8224319C72435362A9F6388D13FFF53AA4C290F84FBF3AB1BAAF4B1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000349351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.868{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000349350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.868{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000349349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.868{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000349348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.868{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000349347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.868{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000349346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.868{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000349345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.868{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000349344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.868{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000349343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000349342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000349341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000349340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000349339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000349338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000349337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000349336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000349335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000349334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000349332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000349331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000349330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000349329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000349328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000349327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000349326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000349325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000349324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000349323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000349322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000349321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000349320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000349319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000349318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000349317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000349316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.852{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.837{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000349314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.837{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000349313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.837{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.837{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000349311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.837{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.837{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.837{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000349308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.837{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.837{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.837{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.842{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000349304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.837{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7942632AAD116A871ACBF7ADBDB9B10,SHA256=F75714D4A6AD7973AA4A7D7FC039A405F929152E1619949E11F6ABD874EDB9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.837{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=362BDC87F789131A054040B3E175E41C,SHA256=ABE20E6DD3F4AC29DB70BD9474118D1C680223BB13BE76A5AD74E58D8DBE4D07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.452{6820D070-4EAE-6323-5401-000000007502}91489128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.452{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000349300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.452{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000349299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.281{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000349298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.281{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000349297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.281{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000349296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000349295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000349294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000349293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000349292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000349291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000349290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000349289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000349288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000349287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000349286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000349285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000349284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000349283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000349282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000349281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000349280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000349279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.265{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000349278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000349277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000349276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000349275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000349274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000349273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000349272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000349271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000349270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000349269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000349268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000349267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000349266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000349265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000349263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000349261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000349260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000349258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000349253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.249{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:26.250{6820D070-4EAE-6323-5401-000000007502}9148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.811{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730111238A61CBDB43BF42D60939D830,SHA256=25432BF6EF7C89CDB8912BF15E5E58F3193F8B30EA86D4325548F2436DECD729,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000349407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.684{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000349406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.684{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000349405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.684{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000349404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.568{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6CAB798732AE7CD3EDB6D039096C466,SHA256=437F72F51CCC622ADEA1D48FF3A2804E39E257CE4C00FC98862352B30E4FB8FE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000349403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.468{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000349402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.468{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000349401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.468{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000349400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.468{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000349399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.468{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000349398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.468{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000349397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.468{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000349396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000349395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000349394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000349393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000349392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000349391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000349390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000349389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000349388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000349387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000349386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000349385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000349384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000349383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000349382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000349381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000349380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000349379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000349378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000349377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000349376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000349375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000349374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000349373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000349372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000349371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000349370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000349369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000349367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000349365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000349364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000349362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.306{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000349357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.453{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.454{6820D070-4EAF-6323-5601-000000007502}8432C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000349355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.068{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000349354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.068{6820D070-4EAE-6323-5501-000000007502}84568344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.068{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000349352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.068{6820D070-4EAE-6323-5501-000000007502}8456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000190757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:28.899{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A281A986592BA75EA0A03F0C3D9BC97,SHA256=934105A7142534E7AE7223C0E9D893D422504F0DF426EB289B41AF9FBBD12E0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000349410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.825{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63565-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000349409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:25.825{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63565-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000349408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:28.160{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CB958EA920F130ED2B73B23544992EA,SHA256=2C0E6468757EA63D3144161165828A2CB19EB7B998D4C1372C7B0FD8DCB991CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:29.971{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D60F9124DF389DA2D15A67997C8C64,SHA256=39C8A1F09967F2EC01C07FDD0A2DFFBC130628CBE6D6775D82CF2297721CC64D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000349412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:27.413{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63566-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000349411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:29.324{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D543E121089FE9354ED8F4FBBCFCD17C,SHA256=112E7890B4924276CBB76A03471876836A5883EB04A2B045D43C9BAFC84FBE81,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:27.387{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49889-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000349414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:30.494{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2B4368EB80EF17978F2020F884BD7D2A,SHA256=8D19CE910F9F254E7AE76B16C4266E06AC70A82D58C30125EA479B7B4A468D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:30.441{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A10A72D2D29A39D547D40B007B29A7,SHA256=662B5A44A886F3176C7B206936663F904FEFB6A60BBE17A552B331DD0A95809A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:31.558{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECF0FE6AA8C998229A3B5121779A4F2D,SHA256=69E8EAB19325F5386C8CE76D9F767FF60F32FB39E89AAEEBE4713F81EF6D6445,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:31.159{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C001811210F78566EBFA36AC94B1B5A,SHA256=575E31CA27D925F7D3B26732AE445DD4732DA583133B68E315F5A7E711560D01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:32.674{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB428997718754AD01F8A65BBBCC510,SHA256=4B48217DECA38D91C986A6DC8146C78EFF82E08A26909670E42FF3461FBD6A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:32.272{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863EAC60F2793CBD2C9A4E4365DED48D,SHA256=4DB3C43BC71121C3CC481D19BB6F3155DC8E15A466579091A27B04FC92AF7B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:33.680{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CC5C599BA446B6E2D10CB2554D56A9,SHA256=ADE79C7583700D0D626D3D4EB028CBF4507A5B7BFF95A0321220F23A159A80E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:33.368{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D85169489FBC38DC4FABC13CEF1A11D3,SHA256=39AC44017890B52BF3D55C6142D4839791F3CA38C1C94636F324F674947E8BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:34.557{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0665AADD22D33A431B65062A1F75B5,SHA256=FDD153873FED0251980349FA853BA39DA1C2A83CFA990748D4CAC7FDB993174B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:34.797{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7261967A93BCA166AE6899A5F2BF1DEE,SHA256=185C876241AFCB75149302555FA11F62B1C76AA107E046C5AE9C075A1907C1BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:33.367{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49890-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:35.847{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F63AAB71A8E99C0901EC8C4121DDD1F5,SHA256=807CBC7316462440BC3617C23CC1427BCFF60BCE889F6BD5C4917CA710ADFCDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:35.912{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B55552D760942666AD891CF30C016511,SHA256=2338A44C90C7B0118DAFC50A8D4D0C5CD802505CB5837C32CFF2C023B3D06F58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000349419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:33.356{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63567-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000349421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:36.897{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5D0032665C6D84F07648F306A8F0F0,SHA256=859DF572458D28BC28012D7A52151045E4A7ADB8F4394A0D1F0803C17AC2C74D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:37.976{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0AB02CB50716BCBA0D128D9A386267C,SHA256=185C1AE646E00323588BE523F23AE928970710DCFCF0BF749B2582368A20D8DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:37.043{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8336CE3CCE7CEFF1124D85039066CA4F,SHA256=73A989D1C0BAA843483FD4BC132FA08F9672D07EBA348F37398B684424F723A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:37.762{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915155514-015MD5=3EE9864ACDFFE78A8B2E0DEDF704C720,SHA256=3E9075B80C33CFA58EAF977E4450D367AD693E429428DFB55B91DE7FD240E49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:38.124{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A14C95882338551534D8B586306057EA,SHA256=278DFF6B4F8009AE59E4F4EDB1948F23FF0CB98438C7B954CD18CA2290E95B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:38.761{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915155511-016MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:38.544{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=8CB69F1FB02FBE81CD02F12A4A4C46B2,SHA256=1851A24A5A3E518301A0CE03715B203754367A1CA83EBE9B0F28BDAB8DE5B196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:39.318{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D71AB52EC4686C7671213D80F51FC45D,SHA256=003F6B8A9FFF7003467123F8F10B9A7A2034BED15688AE2ABD38F35CB20F72C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.918{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.917{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.909{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.413{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.402{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.395{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.382{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.373{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.369{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.366{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.364{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.353{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.299{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.288{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.282{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.268{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.259{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.253{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.240{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.233{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.223{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.213{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.149{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.145{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 23542300x8000000000000000349426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:39.061{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4473B5BEC1F53EF26BEF9F31791D9CC1,SHA256=07C595E5B8860A3CE5FBDA90E862468B88D8F2E9CFADA83E9046F5235A149920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:40.513{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59FC31CDAEB0204122405B2E14C71E2A,SHA256=366163F6911C714AD53B8AB5D20DD25898F62D7DA26ED74CE85E5F6E876B0519,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000349452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:38.442{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63568-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000349451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:40.084{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A467482417766049E5ABBC98BBD7538D,SHA256=DF9A6EA21F4B445FB316E61C715E86A0C2F1E90B72F5FEA1AFB592B833E65680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:41.958{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=81C9E02913C8809C1B27CA1A5021925A,SHA256=6D1102342F72E76895F78B77106E34C0823D14EFB577350913594C49B0D2AB3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:41.598{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB57DD59402B8CE43A87B8347C205993,SHA256=8BC6E4C0E18B4C582A7BDE3331410F482B1E053009A995D07A8E8DB6D048C858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.956{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.956{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.952{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.950{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.943{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.940{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.935{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.933{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 23542300x8000000000000000349457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.232{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76D82A03B1CB7C4D2A89D12DBA217CA,SHA256=A99A4FD9FA1461AA4D3E4ED947D77BE06F7C3C8E051296EFD2AE8426F5A2CE09,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:38.431{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49891-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000349456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.064{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.064{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.048{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:41.048{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:42.905{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15153ACCE4AB4571C966480825292B13,SHA256=5388AC35B014D3916E23A4E185ACCBBDB6A782093DBE461D84493C21B4FFCDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.918{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D3C97D2D25FE89FAABF4FCE97B4924F,SHA256=DD992C1EC0C416A06322A27FBB8A2B963FC612D9F4BA7172CCD9B5BEFD5AD648,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.645{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.631{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.628{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.627{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.626{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.625{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.625{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.625{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.625{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.625{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.625{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.625{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.625{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.625{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.625{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.625{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.624{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.624{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.624{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.624{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.624{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.624{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.624{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.624{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.623{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.623{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.623{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.623{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.623{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.621{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.622{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.619{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.613{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.608{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.606{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.601{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.594{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.590{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.582{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.551{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.541{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.528{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.505{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.499{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.491{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.486{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.484{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.482{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.478{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.476{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.473{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.469{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.468{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.466{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.465{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 23542300x8000000000000000349466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:42.333{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=326070655A118357221458540EC1B5C6,SHA256=01536A334463E09727B8D88B4E67885B529B0A100DDCB5063D1A8176CDE71672,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:43.992{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000349539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:43.767{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:43.767{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:43.450{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:43.450{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000349535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:43.350{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE28BD9129CA56D41ED888804602A98,SHA256=2AD3436D64526ED94A5BF62F601A0A55EC7063900BC4FF9332B30FEF3C49581F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:43.985{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:43.974{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:43.970{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:43.961{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:43.951{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:43.943{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:43.936{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:43.933{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000349542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:44.420{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEA77DCD953CE1DA621F94F7D9B073C9,SHA256=3507A777B131C79497356E9BD6868837CA7E54E486CD0D17ECA98F2D35AF512D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.141{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.131{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.114{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.107{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.099{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000190805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.095{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C4FF0098C1CC67111CAC1667AF60908,SHA256=0757FEB61B1ECE67DE48FF5E2A0E0AA9FFE0BCC8BC01F97029F2BE1C2AEFF00B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.095{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.094{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.091{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.090{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.088{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.085{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.084{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.082{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.081{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.080{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.079{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.076{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.072{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.069{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.066{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.061{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.054{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.040{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.038{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.031{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.005{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000190783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:43.999{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000349541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:44.267{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:44.267{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 13241300x8000000000000000349544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:11:45.908{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8c91d-0xda2daac3) 23542300x8000000000000000349543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:45.523{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A6D0F6BC6F8351EFC1F764C60F63573,SHA256=EAF7790A5CA4B349436EC71DC57BDA421C6E80CD3BFEA2CC045724EB44D9F986,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:45.215{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08352481B428135EF48BCFE383EE81D,SHA256=E8AF4AC3FC50CAFB1C7F80741F2701ED6DF36D3D3C8A332D8559B32D98811950,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000349546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:44.220{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63569-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000349545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:46.540{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40A7310E4EBD952DDDEB057923FACF68,SHA256=BB9C1799A2A90995F76AD6E148EBE9A1C18988E221E1243E38BEB694F0634268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:46.247{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC84D9E38A26CDCFFC9890FA2F748ED6,SHA256=05C1AE61C27746124F830FABD76CEA6B61215459860C6EFFB421C3DE9DD7A86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:47.438{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=601D1192165F0A8D16B56D45F41DCBE9,SHA256=55B766AF84276AC31D1BED71A03AEA7745F7C18EB9EFBA3CE1886F2CCCAE2EC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:47.641{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AFD984B7671C7B26DBE27780248FDCF,SHA256=FF48A1246FF042599F8B84B34FF23D9015E18F0CB2372CEF62F00955CDF2BADC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:44.406{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49892-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:48.535{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=096653DFD7DAA22D34E1D30DC42DA80E,SHA256=C0EE50398CE143B51863C53D001B4FCD81EDB53524F58AF77F58DFB07811EEFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:48.657{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DF926DC4FD3FCAEFAC3B4EF2C414B02,SHA256=73360A944875DD420F318ED087F4F5C3E64F4D88B1E12DFAFFDC23EDA59484B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:49.727{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E463E22A8B4B53D9D52B52FA1FC863D,SHA256=FC1FF22F32D9FFDD18694973E2EA90B3608754AC6A216FD9D6C17AC979425031,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:49.753{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7444E764B0C2AC96CBFC00F9FAA4E04,SHA256=2AF61EC09061C1EF2EC9D569B94CEBC25BCA6046E23BB8B1FFB23071A4E73398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:50.831{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3D60DB813119BC81FE08C68FF639104,SHA256=3FB2963864DDA453D345A446CA5BE960F0B8CE7B399C81A477D4D0CD07848F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:50.846{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DA26D7E805E9DABE1124573CA148E43,SHA256=C8C4E7982D0451551AA65C6D667DC060E1E8CEC4B0E41A4998E87F3407485CD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:51.928{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FA0899D64C2FBA83C19046B5C07C21C,SHA256=297BAB77B00F2A4C77341DD95497946439EB77691BEF658CA616292C5D10F929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:51.932{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65949692ED818BE069F2CED734AAB787,SHA256=3CED815F6C855A593614C152AB21A86765D79118BF9FFD1804858E8596A2C8F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:49.421{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:20:3c3f:f5ff:fef0win-host-ctus-attack-range-102546dhcpv6-clienttrueff02:0:0:0:0:0:1:2-547dhcpv6-server 354300x8000000000000000349555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:49.271{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63570-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000349554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:51.123{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:51.120{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:51.110{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:51.110{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000190820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:50.303{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49893-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000349560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:52.277{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:52.277{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:52.277{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:52.277{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:53.120{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3F018CDC46CD14FEDCA94268915EA05,SHA256=8B96515C31F62B3F05421278C432977C78118B042532DF655FF6AEA96E7E7DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:53.048{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=623E509D187B546665AE9EAFA9E7955E,SHA256=1C44510739E60EF983C2D2D3595DD16EFA602229760216E7DE9D23A10BBB035F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:54.311{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6606E11169638CB5BE4E873477BBB9D9,SHA256=64469A43FFD743FF4A83C26A1EC6296F10B9ACEAFA38DF35BB1EB2D881F3786A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:54.128{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15B034993C80AB72AEF32A02A24F9874,SHA256=54F5FACBF794EEDC24AF13D09C2285D788620F7EB36C5849A7D0F8AC4721AFDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:55.510{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECD7C84C96884A04C32778B59AC6A55E,SHA256=FAD1C83EEB9EDC7709D756B3C90A9882F3748F70300702CC857356BCDD2BFF3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:55.249{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F500203361E9A7368CB9AF77658942BB,SHA256=2A31265884549457066897E7C6D138508FD634F9E3FF653B326703EF0D022BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:56.706{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CBE3C2F0F72AFD6FD951334DB6B3FA1,SHA256=51B8C9E9ACC21B222C88C1429273CF5104897083F880E8F4721B064A154D17D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:56.981{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=7C59D153EA76B325CE34035BB9BC124A,SHA256=4261BCA65D902804E6262714B69066FF1FB9DFDA5ABEBA0DAF2198AE243CCB1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:56.365{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F381651694BF8834354CD0312BE1A9F6,SHA256=329483C403F81BD67A05D7A885B7E55442E9A882EB727A3EAF2D2898F3012918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:57.907{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCAF6D7C1EA2C345055B9834D389D3C,SHA256=E13FCD96AFB9DA72CBF94CAD47151742DA7F86A8991596457B34964AA20002E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:57.467{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504AC57793CFB42955F4B97DCDC28BE7,SHA256=254A705468F2AEC887114021D8E2A6F4A7FF433A09973AD2323E5A44AA8E8F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:57.391{E743DC12-4AD0-6323-1100-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=01F95233CF5F8873A2EA06DC65085F83,SHA256=316FACCDF6957C738B267E25D1570E71B435BBEDD6F802CEF17606078016B3A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000349566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:54.397{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63572-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:58.987{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A68EF36FBA3CB6F3328D2C4EBA03D2DF,SHA256=355204FD18D7587921629CD0B024AB865F36A1163C748B8B964DD1918CD56196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:58.819{6820D070-4AD1-6323-1100-000000007502}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=C81BEABAA31969316EFBC6CE78795FED,SHA256=DD650A44ED6705AEDB575457174817464FD4636A825622F5E06E51E4AC63574E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:58.503{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6356E1CD70A407A4EE06184A6C9C921E,SHA256=F0F2A592BFEC365258FEB663B6B8CB6A4D1CFD25A81DAC14FC8E37FBA70B771F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:58.503{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:58.503{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000190827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:11:56.263{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49894-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000349569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:58.234{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:58.234{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.977{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.974{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.964{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.694{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.694{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.694{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.694{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000349596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.585{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB3481CDD88E2B38AEE188C1D217B13D,SHA256=F376F6E84DD3571F4A60543A726C02396FEF4CEFE543FC183D8A1D0E4E6EDF30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.410{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.404{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.398{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.388{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.380{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.376{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.375{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.373{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.363{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.333{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.327{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.319{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.308{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.298{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.286{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.274{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.266{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.255{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.246{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 23542300x8000000000000000349576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.234{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\aborted-session-pingMD5=2518D3859105EC039B1813F0FC16E738,SHA256=E634A5C0811C428F47D778DEAED0332CE1F383F1B10C6647831C8B58682BA45B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.155{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:11:59.152{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:00.724{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:00.724{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:00.724{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000349608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:00.655{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BC26AB62E9C91D6D0BFB2D1670F0E9,SHA256=08510AD39F64FD9AB873C2114AF59BD31BA76C7C120D6CC144072B766157D4B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:00.659{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:00.658{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:00.658{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:00.067{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B72F676E2964DEDDABCB2240A9BFDAB,SHA256=51326A483CD7A762E6672651C854FAB6B8CE846F472C21D6A423BAF9EBF7FF91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:00.471{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E19E64E7F38722D9C3DD55DCDF460C2F,SHA256=F00831DFB5D0D1C208674449E568B16B1183F2E0CB8B6D7DB1C00B49DA8FA56A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:00.308{6820D070-4B7F-6323-9900-000000007502}29724976C:\Windows\Explorer.EXE{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8013285BCD8)|UNKNOWN(FFFFD9E122A77E08)|UNKNOWN(FFFFD9E122A77F87)|UNKNOWN(FFFFD9E122A72611)|UNKNOWN(FFFFD9E122A73FDA)|UNKNOWN(FFFFD9E122A72296)|UNKNOWN(FFFFF80132571503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000349605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:00.308{6820D070-4B7F-6323-9900-000000007502}29724976C:\Windows\Explorer.EXE{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8013285BCD8)|UNKNOWN(FFFFD9E122A77E08)|UNKNOWN(FFFFD9E122A77F87)|UNKNOWN(FFFFD9E122A72611)|UNKNOWN(FFFFD9E122A73FDA)|UNKNOWN(FFFFD9E122A72296)|UNKNOWN(FFFFF80132571503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000349604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:00.308{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF104cab.TMPMD5=AE83E3D1BED7E22F099EC37882555B7F,SHA256=19C20C1DAA5B1C1F7E9A0561569A10ABB7DBF1B544D26F74C2B5990D9C688508,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:01.997{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:01.993{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 23542300x8000000000000000349612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:01.756{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C49D436BED655C366436949A78E4CD,SHA256=C7E91A2475EC2F40439733EC83579E07E59AB91171FE6311FA6CCBD4E80AA634,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:01.259{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6320B15805B375770A2B38B9163049CA,SHA256=20220F73950DFE616D71CB6F6A5FE4D882C71E3F3779169997F0F10784E14ACB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.943{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D1D5F97802CCFC48C3D0D7675F2A3F,SHA256=C4D86FE82EFE94A13DEE9B37B047524B0FE81EF2AC0691E0DFE57DD406E175F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000349648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:00.333{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63573-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:02.380{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D05107B147042AC0E100AB038CBDFFC0,SHA256=7CDC1A470CA03E89317BFB4891E0D8EA4B8509B4A8482C89FC6F5D93F1FC1C3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.661{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.647{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.644{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.640{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.637{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.635{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.631{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.629{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.627{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.623{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.620{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.618{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.608{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.589{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.580{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.570{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.549{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.543{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.535{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.530{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.529{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.526{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.524{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.521{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.518{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.514{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.513{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.511{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.510{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.006{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.005{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:02.001{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000349615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:01.999{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 23542300x8000000000000000349650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:03.959{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AFF9E52B788E8FF3C0AE75F7D0FF6D0,SHA256=156B45235E0A4A1B075FE0D76C51EFCAFC985AD05481EA4908ADB21214B73739,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:03.993{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:03.986{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:03.975{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:03.968{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:03.961{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:03.954{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:03.943{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:03.937{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:03.934{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 354300x8000000000000000190836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:01.445{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49895-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:03.482{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DEBDE24FC9E38D0AF071BE19966EB2,SHA256=87D71D94544D1C847811F7BD418BDF66E6DFE72B6A306C4809DB7602FAF27807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.691{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00814F0BED82783FC7C9F950C320DF05,SHA256=A25A7F14B345694BCC1BB5F2B4E638595A2020813F5499A128FB5838998F941A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:04.792{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:04.792{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.149{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.141{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.128{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.124{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.117{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.113{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.108{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.108{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.106{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.106{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.103{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.102{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.099{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.098{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.097{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.091{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.086{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.082{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.080{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.078{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.072{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.066{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.051{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.049{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.040{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.007{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000190846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:04.001{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000190874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:05.753{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79891D133F9F96A07E1FC881DC2ACA54,SHA256=2095E206575A685AEAA5B14A586A03FA7C379D0AFFF8004DE28BF41687EBF5D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:05.092{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FB0E311BB12BACFBD269E5CAC7E2633,SHA256=58A2390CB088DC535513419EFD8816DB640B174B6AF2B668ECE6777D36D27D3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:06.822{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2698169C8685711CB715AACF020B1EC6,SHA256=811D62713FEFBFDCECCC8DF88BF77BE8210AABBD11E34FB6A9944DC9DEC0A9D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:06.195{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=242FA0A419C5EF5816A2AC22049A6817,SHA256=25580A43D920E78FBE5807726B611D6B365BB8E55BE372A92CAF48FFCFD97146,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:06.303{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:06.303{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:06.302{E743DC12-4ACF-6323-0B00-000000007602}628668C:\Windows\system32\lsass.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:06.288{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1D00-000000007602}1944C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:07.909{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A54C89EB18AD55E43317300FA0B1C6,SHA256=4FB3056C730DDD7DDDF5E0F69541D7446D1498F3E206822D49677D256B113F89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:07.314{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0E6E6E41413A1B3F39209C8CD149F9F,SHA256=D90E6E384C008BA2E98C355920F514CDD8242231ECC07A2C754B410C04A8A490,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:07.643{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4ED7-6323-0101-000000007602}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:07.643{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:07.643{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:07.643{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:07.643{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:07.643{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4ED7-6323-0101-000000007602}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:07.643{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4ED7-6323-0101-000000007602}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:07.644{E743DC12-4ED7-6323-0101-000000007602}3680C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000349656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:08.445{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D81D39CE2F41ED19695B9236940E1E1,SHA256=6E1A3B23B3ABE1358BF39F90DA1DE4EE8E7E8016CFF75A3419CCA61242B48D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.875{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E62C757EB1F8943E7F50CE7EC60A726,SHA256=B58E264A508FE927456D3F449CD73E3AA4E1832D006DB9BE32D5A87F271DB3BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.812{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4ED8-6323-0301-000000007602}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.812{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.812{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.812{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.812{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.812{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4ED8-6323-0301-000000007602}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.812{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4ED8-6323-0301-000000007602}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.813{E743DC12-4ED8-6323-0301-000000007602}1552C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.306{E743DC12-4ED8-6323-0201-000000007602}25205016C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.134{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4ED8-6323-0201-000000007602}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.134{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.134{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.134{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.134{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.134{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4ED8-6323-0201-000000007602}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.134{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4ED8-6323-0201-000000007602}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:08.135{E743DC12-4ED8-6323-0201-000000007602}2520C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000349658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:09.540{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FDFF342CC99BE7F216C3CA28E82BDFF,SHA256=D6C6CB3B7CBE654B28F604C11437F8029D827FA67A46EA922653B6D122B0B191,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:09.739{E743DC12-4ED9-6323-0401-000000007602}27041292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000190917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:07.302{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49896-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000190916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:09.489{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4ED9-6323-0401-000000007602}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:09.484{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:09.484{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:09.484{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:09.484{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:09.484{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4ED9-6323-0401-000000007602}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:09.484{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4ED9-6323-0401-000000007602}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:09.485{E743DC12-4ED9-6323-0401-000000007602}2704C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:09.251{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=9809261D06D6FD553D1751394F72FD0C,SHA256=548219FE63A14CEDB3BA331A05B1F6386723B0F4BBCC5C51061AB3D8EFB35D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:09.093{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=594DE11F6CD3D45EDFFA12F548065537,SHA256=7C6E8D3EC7732EC9F717E1823B6F6490D2A0CAF473B901B59B297002D62D44EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000349657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:06.256{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63574-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000349663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:10.656{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4CBAD44977F684B6FE49A01BAD3554,SHA256=2FF564133F56CD9F55CB12CEA3C25F8E792DC386C65B2A953CDB701A21A635CA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.824{E743DC12-4EDA-6323-0601-000000007602}34562716C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.684{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4EDA-6323-0601-000000007602}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.684{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.684{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.684{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.684{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.684{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4EDA-6323-0601-000000007602}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.684{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4EDA-6323-0601-000000007602}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.684{E743DC12-4EDA-6323-0601-000000007602}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000190928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.168{E743DC12-4EDA-6323-0501-000000007602}23965112C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000190927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.164{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB50B09835B545C55DEC5988236C64E6,SHA256=33D55EE751B6D003D4FFB16D88C3EE73B314A02195057D373874B3EB40F6E336,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:10.508{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:10.508{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:10.508{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:10.508{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.005{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4EDA-6323-0501-000000007602}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.005{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.005{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.005{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.005{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.005{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4EDA-6323-0501-000000007602}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.005{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4EDA-6323-0501-000000007602}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:10.006{E743DC12-4EDA-6323-0501-000000007602}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000349664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:11.777{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83508B720DCF1D46AFC4D853D93BB71,SHA256=E97BF1906D03E17230D94CAF894FCFBA2E70A6EE3928FFB2F37FEE5CADC2BF3C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000190952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.373{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4EDB-6323-0701-000000007602}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.373{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4EDB-6323-0701-000000007602}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.373{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4EDB-6323-0701-000000007602}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.372{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4EDB-6323-0701-000000007602}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.372{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4EDB-6323-0701-000000007602}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.372{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4EDB-6323-0701-000000007602}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000190946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.284{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4EDB-6323-0701-000000007602}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.284{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.284{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.284{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.284{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000190941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.284{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4EDB-6323-0701-000000007602}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000190940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.284{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4EDB-6323-0701-000000007602}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000190939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.285{E743DC12-4EDB-6323-0701-000000007602}4972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000190938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:11.231{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC9B161DFFEFEF21A849792E48D758F3,SHA256=679F554F77619A26900C6519FCA260D219EB699B1E323B2F8953F8A51B364BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:12.893{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED346E4FA2F1D451195DB14857A9B158,SHA256=6F753A7423E01101E0ED7F0F0607E6E6F9AA33767DD9BB8B20A636EC34D7DB88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:12.315{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF72D161B051E194E580A1CFC0BD51A,SHA256=6856B3BE87D295B0BF24F420FA2825B94B0095B3A79563DB76B300C1ADA149CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:12.205{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=34469C725DB692F846FCABB6610D75F7,SHA256=6FDAFBF87C8884BA2E37A55247AE545100ED8E0051CDFFF39D0BAD4ED27F0687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:13.509{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CEFB52C5B55495509D39FE7C2027170,SHA256=10103A200C49223256690896C355A7C2DC77B04BF8ED770755375798DCCDB77C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:14.604{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA2186B02E513A99AA324C9CE40B016B,SHA256=66692CC0C2F70F2BEB2E711249BB600938D95E945ECF42D05E94081A49EC11E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:14.010{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29856F22588FCAEAC93D83887BBB10F5,SHA256=3DF677739240BF9F6FEA1A099BD353F35015699970A801E5A742BD87CF7630F7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:13.287{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49897-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000190957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:15.692{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18D226DCF0B7082D14C8BBAFA45C806,SHA256=D4839146CABEABAAFB6EF3914FCA6523B74376D012F027D26B558D5B4E0791B1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000349673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:15.334{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\System32\svchost.exeC:\Windows\System32\winsta.dll10.0.14393.0 (rs1_release.160715-1616)Winstation LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationwinsta.dllMD5=12668CEFEE3754CFA61C5699821668B3,SHA256=D0C81619EDE8B846D98417989684EF16DF3A053CC049C7281E40F3359AD5B570,IMPHASH=2E790E44628AED89C2CC17E1E4A5CE1CtrueMicrosoft WindowsValid 10341000x8000000000000000349672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:15.335{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:15.330{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\System32\svchost.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 10341000x8000000000000000349670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:15.335{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:15.335{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000349668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:12.287{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63576-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000349667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:15.110{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EA0934510CAAC9EF9C0BCA018F7B19C,SHA256=7A89D2E7EFAB75FC047BD94662618567716A74786F28007162EC3D176CBE88F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:16.879{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFEB1407E594775E067D2EAD97D79D71,SHA256=CAE3BE033B306919FF56172C683447C06E55850A3A87AEB6578F53C76A591642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:16.127{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2560A93BE3ADDA25A44ED904F111659,SHA256=A7E12EEF3FA61B5089AB8D01B037E54DAF0DE649655FCAB0930207DBC391E26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:17.961{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0D5A641B63BE28D6A0AAB702C75D03,SHA256=F767BE3217CA590AD7D9C243F59E89DB8949767A94C32963A3FCABCCCDA426EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:17.183{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35924A21B1F02338A1DEEC7A689DFB81,SHA256=292AC8D705526DEB992D7D3BB2EA45045D5FDB92445C082125A24221CE2FBC79,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000190960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:12:17.550{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8c91d-0xed09cb5b) 23542300x8000000000000000349676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:18.298{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A7A41A142041AFA036BE006030D5964,SHA256=7A0FE5768C43ACC5B3F9EC39E8678875F10C4316F920FA31C652813999B698BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.771{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.770{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.766{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 23542300x8000000000000000349698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.393{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A59C07F9CF71E031D500546C69B3767,SHA256=EBA331286E63A801D5B40BEB1371307556556932B9E69CBB1B02F4BFCDD23538,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.374{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.368{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.360{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.351{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.344{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.340{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.338{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.336{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.325{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.298{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 23542300x8000000000000000190962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:19.027{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E5A7B2BEC8E80B1ADD5E5C4884C9640,SHA256=1C451421E81A795EE390FB66351786ABF21A939A4FFEC483DCC3B70953BE7B34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.283{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.278{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.268{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.258{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.251{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.234{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.226{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.216{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.203{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.157{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:19.153{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 23542300x8000000000000000349703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:20.386{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97E08E11E3496E5C27331051AA7EBB7F,SHA256=AB0B470F5EF9E2D950FA1D2B2AB1715E629A7BB43BBCA8DFCD667AF9FA237756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:20.771{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:20.108{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=585D62EB7059800E2C28CB0C0E10350B,SHA256=E1A5DC218B120B73935646DA4E1E74C19BB12F20895F5D626C9C7AE6665C9485,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000349702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:17.375{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63577-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000349717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.798{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.797{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.793{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.791{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.789{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.787{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 734700x8000000000000000349711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.624{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000349710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.624{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000349709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.623{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000349708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.619{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000349707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.619{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000349706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.619{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000349705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.618{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000349704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:21.487{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE90586DED8BC47D09D7527A4173B643,SHA256=C9432569857A08CAD70A56385C74EDC9E7AFB5656E7D5D7F8176AB79AE67E3B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000190966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:21.202{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742345AB8ADF92809EBBB73DDEFFF8CB,SHA256=168242B02B3DCA08501696DE89180F4B949EA854EED282B3394604F7A8B94206,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000190965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:18.436{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49898-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000349747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.668{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A80BBFB84D3B3F435AC9A64202FC80A3,SHA256=3ED333922B0D163A0ABD7CBAFDD423CB6116691B0842E281BFC6F0123DA3833E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.554{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.534{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.520{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.514{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.503{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.501{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.496{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.493{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.491{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 23542300x8000000000000000190968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:22.394{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F7EC71CE8B07A6B571C32F19234C782,SHA256=24A32453B925329B8F23C33507A9F7AC3F1ACF14DDB36570CB2BD7D82A38FFF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.487{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.479{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.477{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.467{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.425{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.414{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.401{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.361{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.350{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.338{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.331{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.329{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.326{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.321{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.318{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.315{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.309{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.308{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.305{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 10341000x8000000000000000349718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.304{6820D070-4ADF-6323-2A00-000000007502}26163604C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001A537ED0) 354300x8000000000000000190967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:19.992{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49899-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000190976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:23.982{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:23.972{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:23.962{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:23.954{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:23.945{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:23.938{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:23.932{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000190969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:23.493{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF596E641D4E13C66C09A4DBE46A5841,SHA256=EB46F188670A2B742F79D0F7C05010475514FA691AA092419CC3810DF199031E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.889{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000349808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.804{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000349807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.789{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000349806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.789{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000349805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.668{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=22373D320CB55735C2ACF1A7F1214A2E,SHA256=58ABD6575A177B8B4325531A17A4C62E0D180D0DF21658C908172F5103BAB540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.595{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE0074CE47BFFAD2755939E67C54A8B,SHA256=A4436A804DEC68BAF0EE42E31030CA2AECD11263A28C27D0367F9A7961FB6984,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.593{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000349802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.593{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000349801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.593{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000349800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.591{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000349799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.591{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000349798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.591{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000349797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.579{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000349796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.579{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000349795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.578{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000349794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.577{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000349793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.575{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000349792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.574{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000349791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.573{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000349790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.573{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000349789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000349788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000349787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000349786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000349785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000349784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000349783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000349781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000349780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000349779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000349778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000349777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000349776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000349775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000349774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000349773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000349772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000349771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000349770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000349769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000349768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000349767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000349766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000349765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000349764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000349763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000349762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000349761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000349759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000349758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000349756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000349751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.552{6820D070-4EE7-6323-5701-000000007502}7888C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000349749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.419{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.419{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.760{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52E176E5C1F93E806666CEFF8ECDB0C1,SHA256=05D9E81613B4BBE2AABB403358031A184E3CCC4CD0FB60C6994D80C3E9A20A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.524{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915155459-016MD5=36EB26F9EED14D2A649109B5B0D3FC1A,SHA256=D5225DBB467937E991D5678F78067E4612BF477D9EC2143F1C43E71004CE921E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000349918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.890{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000349917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.890{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000349916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.890{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000349915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.706{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000349914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.705{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000349913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.705{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000349912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.704{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000349911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.702{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000349910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.702{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000349909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.701{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000349908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.701{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000349907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.694{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000349906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.693{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000349905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.693{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000349904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.692{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000349903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.692{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000349902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.691{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000349901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.691{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000349900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.691{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000349899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.691{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000349898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.690{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000349897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.690{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000349896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.690{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000349895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.690{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000349894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.690{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000349893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.690{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000349892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.689{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000349891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.689{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000349890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.689{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000349889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.689{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000349888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.689{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.689{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000349886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.689{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000349885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.688{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000349884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.688{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000349883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.688{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000349882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.688{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000349881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.688{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000349880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.688{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000349879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.687{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000349878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.686{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000349877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.686{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000349876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.685{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000349875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.685{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.684{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000349873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.684{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000349872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.683{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000349871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.683{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.683{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.682{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000349868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.682{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.682{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.681{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000349865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.681{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.680{6820D070-4EE8-6323-5901-000000007502}8968C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000349863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.680{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9408FBE50B85C0E274E3863375208638,SHA256=3D40BB926B5C83212A162E6A78171C77399D63F2CA31948796095CCF35C1764A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000349862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.568{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5B4CA1D8DE03EBE6410D629CB726B8F,SHA256=A18E8E1403E7F2ADC3FE1E22FCBF520340814A615637E1889A234FE6B5BD30F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.223{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.207{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.185{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.181{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.173{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.167{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.166{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.160{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.159{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.157{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.154{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.153{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.150{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.150{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.149{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.147{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.144{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.140{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.137{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.135{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.130{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.124{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.112{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.110{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.099{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.056{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.035{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.019{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000190977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.004{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 734700x8000000000000000349861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.289{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000349860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.289{6820D070-4EE8-6323-5801-000000007502}82168200C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.289{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000349858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.289{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000349857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.089{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000349856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.089{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000349855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.089{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000349854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.089{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000349853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.089{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000349852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.089{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000349851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.089{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000349850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.089{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000349849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000349848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000349847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000349846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000349845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000349844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000349843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000349841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000349840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000349839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000349838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000349837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000349836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000349835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000349834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000349833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000349832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000349831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000349830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000349829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000349828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000349827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000349826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000349825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000349824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000349823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 10341000x8000000000000000349822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000349820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000349819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000349817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.073{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.068{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.068{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000349812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.068{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.072{6820D070-4EE8-6323-5801-000000007502}8216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000349810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:24.068{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87DA174FD8D2790641BB0428EB07BC1F,SHA256=A4073DAFC16F679CF3726B91B3E61F9AF1DA4ECE59A39DBB0A8ADA8DCBFA4A2B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.906{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000350019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.890{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000350018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.890{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000350017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.890{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000350016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.890{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000350015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.890{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000350014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.890{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000350013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.890{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000350012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.874{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000350011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.874{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000350010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.874{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000350009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.869{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000350008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.869{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000350007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.869{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000350006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.869{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000350005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.869{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000350004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.869{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000350003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.869{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000350002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.869{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.869{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000350000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000349999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000349998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000349997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000349996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000349995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000349994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000349993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000349992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000349991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000349990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000349989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000349988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000349987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000349986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000349985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000349983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000349982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000349980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 23542300x8000000000000000349979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8284853BBAADD75931F36997FDF43210,SHA256=59588AC878B05579DA7D18C9442461DAA7BF1F94AF25CE181DB9F6578ADBBEFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.853{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.857{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000349972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.837{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C0C95B9B00EE5F336F838D451C693D1,SHA256=D720CD7AFC94EDB6F2C902D3F6D1EDC7BF4B44ABE119B1420227AB60A563DF5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000349971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.608{6820D070-4EE9-6323-5A01-000000007502}85607804C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.608{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000349969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.607{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000191009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:25.789{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1318EE576D9010FFB33B623076F2BC3,SHA256=B79E538300C49645798D7BD7A36D96292BC18A5C46D45432597C6A20CA8F5377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:25.536{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915155457-017MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000349968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.390{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000349967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.374{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000349966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.374{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000349965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.374{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000349964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.374{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000349963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.374{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000349962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.374{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000349961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.374{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000349960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.374{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000349959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.369{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000349958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000349957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000349956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000349955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000349954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000349953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000349952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000349951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000349950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000349949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000349948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000349947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000349946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000349945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000349944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000349943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000349942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000349941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000349940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000349939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000349938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000349937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000349936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000349935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000349934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000349932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000349931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000349930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000349929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000349928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000349927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000349923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000349922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000349921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.353{6820D070-4EE9-6323-5A01-000000007502}8560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000349920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:23.082{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63580-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 354300x8000000000000000349919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:22.438{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63579-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000350078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.990{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F6463B699A4233971AE428763A3F41,SHA256=8B8700F92E8242858BB932EE579D62881BFDB6C50E59792D5C2229A2AC672B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.969{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8450F495C02240361B1CD9CFAE71517,SHA256=D2F81A17B28DE1983C0DB6C633769ACE69BF31EBB6F2181E507CF6A3DFD1982B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.706{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000350075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.705{6820D070-4EEA-6323-5C01-000000007502}94008116C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.698{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000350073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.697{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000350072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.537{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000350071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.537{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000350070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.537{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000350069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.537{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000350068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.537{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000350067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.537{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000350066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.537{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000350065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.537{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000350064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000350063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000350062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000350061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000350060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000350059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000350058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000350057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000350056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000350055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000350054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000350052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000350051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000350050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000350049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000350048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000350047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000350046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000350045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000350044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000350043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000350042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000350041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000350040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000350039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000350038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000350037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000350036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000350034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000350032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000350030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000350026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.521{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000350025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.522{6820D070-4EEA-6323-5C01-000000007502}9400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000350024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.090{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000350023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.090{6820D070-4EE9-6323-5B01-000000007502}92529256C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.090{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000350021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:26.090{6820D070-4EE9-6323-5B01-000000007502}9252C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000191010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:26.855{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8C90886F3C2AB0A5F28BA51EEB919C7,SHA256=2CBF4E8D6E81413A97974DA27B2B2CBACFA90B9B8064B81992BE95B21EADCC7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:27.921{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E54332D90899055134034E9F0F6F64B,SHA256=1DA01EC9B310B0E07152485333ECC353021A4662990F306A4DB8566E01F62F68,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.422{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000350129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.422{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000350128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.422{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000350127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.223{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000350126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000350125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000350124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000350123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000350122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000350121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000350120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000350119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000350118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000350117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000350116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000350115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000350114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000350113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000350112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000350111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000350110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000350109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.209{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000350108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000350107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000350106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000350105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000350104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000350103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000350102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000350101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000350100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000350099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000350098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000350097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000350096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000350095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000350094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000350093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000350091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000350089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000350086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000350081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.191{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000350080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.192{6820D070-4EEB-6323-5D01-000000007502}9224C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000350079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:27.170{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A43F8CA5017F25AB2E5ADE476C9B1783,SHA256=7A34111AC42C6C28B4BA3DFDF45D0266C84D32DA5603D7C78FDB5D4168BCBFA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:24.406{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49900-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000350133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.826{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63581-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000350132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:25.826{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63581-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000350131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:28.075{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FC2D356DB32893C9BEF072DA491B42,SHA256=8E54269690E3E142587A46CC3C92A8B9F85944AFAF7B46223B5B3AE1D13C4842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:29.002{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56CC6D9D6DB168D578B359DDDC780D75,SHA256=E91C5275E1DC0F4DA08D853A76FA72FBCF34F3ABC2D5AECB3B3E9DEFD6C6FF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:29.096{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67ABFFB48193668A404BDF4A33926AC8,SHA256=F2206EF17CE54CFD0CE50C2272138240F7DA35243C270A278E3334977FDD8CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:30.099{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832F147AEAB25B1509CE8120B380DD47,SHA256=7A3918C6B5CF62C855010A872DBB8C402C187A378DFF24FEB36BF690BBACBBB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000350136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:28.351{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63582-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000350135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:30.128{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FB09828357F8E15050C97368054D254,SHA256=A79C697612D1C24CCDB86EE636E4D4094B736E1C1999088B2C9B19B2CBFBD7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:31.186{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8787FDDF920C5BE98B09524D087E13,SHA256=FBC440A4D53FA0D5D32DAF545C129E0FB719FCFB4E594612D72412EBD82392A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:31.160{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F872ED866F25E46B11F0C264C18ACBB,SHA256=AA24EABFF2F5DD0BBA7ED1A6A824CB4DC809200A652CF6E8862236B0F6B6DE14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:32.283{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AB06E3775F3CEC8601E122DE54B1A9,SHA256=5BDDBB8BE7206C60BBAA6C276C544C70A73C4BDF5012EAC68F2DC23397F377CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:32.249{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A925E968D11D47A57DBB330B796C29E,SHA256=BEFE5DC4AD0EF4E6C72AE3009CDBCE72E9D20F67A70DCA70391C4CE808FC7D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:33.377{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C59D8B5725E5B54F653192B12C33A4F9,SHA256=7A18E146FEB8BFFFDC1CB97D10F581633D5DECDE7AF8888ED6DB8339A825E7CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:33.317{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6B1982350034E5C30113A4E996FF837,SHA256=D0C87F788874AE869C05A60DFF09B9BB97903738F32D4C6A85ECEC8E21F08ACB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:30.406{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49901-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:34.489{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6DA54AFB6AE398D7352844771806FA9,SHA256=AF8A3FFAE7FC23139ECCB4BF87FFB2D11ADAF41237EB005102F86D5EB0FAEAD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:34.383{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=719395A90A9A2C6D89E7289B852B6A97,SHA256=60FB0093D3F548590F292C370151BF89C8578AED29AB6C96DC1B5EF8A756A75B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:35.581{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3962FDEAF331EBB72EC074A2BC2BC058,SHA256=C5C0F2CBB35D4ABCADC374A79337FBD1AD14FD045B4E7914F3170079D3716E83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:35.471{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A1FE5DF2FE4711048473E48B0883E8,SHA256=A62E28566597D2B02A3410E6BBD230862F95AB6058CC36333A0E6D091D8FE524,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000350141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:33.433{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63583-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:36.704{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8CE9888907A9C7B68451832C15BD784,SHA256=07B8DC7431F4C4B1033B10281589AF374E07A89AE477A9184EB7CBC5A4D6264D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:36.489{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D7E636811925437B050A2CEEDD829B5,SHA256=A99A64E0C65D1A6C96172001ED50FA8F980DC7B7FE6DA42FD9AC123A00B431D0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:36.409{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:36.409{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:37.900{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=889A8D9409C7608EEB4F560BBA2F3689,SHA256=3F53B5FC2D87B7271EB0A75E238745763319E5F89BEBB9A10A165B5C9EC86F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:37.543{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725C6F5204D570ED8A78152C90D87733,SHA256=73DAAF79D7D5AB5037F7A7CE50B242984E8B4D7E537D754833CD3BF390889FAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:38.629{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CE1A41A6A5AF5EBBEA78AD701AD7C00,SHA256=6CD43F78C22C341AFE72316A4C440211324A4A70F83C41E944BC0F3F4617AFB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.828{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.826{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.821{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000350170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.694{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E28992865D0BDD7E61A5FCC75CD7E55,SHA256=A4B635A46CBE2EB899E3E3493F0BCB6574819F1AD28E63FA237D72308B8D24E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:36.347{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49902-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:39.002{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C82C8BB573702C74CAE035C1A691E0,SHA256=4E8D0698A1C438EDD3FB7B138A4B4BF6BCA08AB84CB4B0AC0D4AA12C3172D879,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.343{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.336{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.330{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.316{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.308{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.305{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.303{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.296{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.287{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000350160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.271{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915155514-016MD5=3EE9864ACDFFE78A8B2E0DEDF704C720,SHA256=3E9075B80C33CFA58EAF977E4450D367AD693E429428DFB55B91DE7FD240E49F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.262{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.256{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.251{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.242{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.234{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.228{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.216{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.207{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.196{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.187{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.145{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.142{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000350175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:40.748{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDDCF8E5772142C2D549E7218A42AD49,SHA256=F2B9D07FEA7E8FFD7F270BF55C4C3CC55BD20FCF0366BAE1E7CF7F20757B2CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:40.106{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D0CBBBDC09CEF8ED02F6E15DE3F36D,SHA256=26058457CDB9B970DD1DCE112811EFFA5FC93052DDDA5C9232C4D1C90B6CF289,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:40.278{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915155511-017MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:41.879{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:41.877{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:41.874{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:41.872{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:41.869{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:41.866{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000350177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:41.783{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B79313B3AE698348EA86EE351B60F23,SHA256=3463E37969324EE62840D144F6B9C05E26C922BA62895FF287647B5780B52A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:41.207{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A5CF8C04A0A6B807D27AAEDCB2DA060,SHA256=F07105506A8BAFA74A8CC79A16628DB393593880E73FE9F109B7D936E1F4C079,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000350176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:39.223{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63584-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:42.422{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=D88EC69772C6B72B07B5E3DD9ACE5CF9,SHA256=21DB3565C1A0CBCB09C5D29DACE6BA888DAD4816BD6210E99E4B84940639007C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:42.297{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED048B95F5AA63B1AD3DB4F864FBDB8B,SHA256=7A68B3A7B3D40E8C58896E9391D5718FC12D6D133CC934BC922DE27287DE14E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.886{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B80558803358AEED4C4BE9FAB6FC20,SHA256=F86B9119A5128B9B2BCCB01AA0162358E1866230A8026676E63F04CEE744BA0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.553{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.528{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.525{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.522{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.519{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.517{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.513{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.510{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.509{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.503{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.500{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.498{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.491{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.470{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.464{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.454{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.427{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.421{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.413{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.407{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.405{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.403{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.401{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.397{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.394{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.387{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.387{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.385{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:42.384{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000191040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:43.998{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:43.992{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:43.984{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:43.974{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:43.969{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:43.962{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:43.955{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:43.948{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:43.941{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:43.938{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000191030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:43.616{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1556E4F0FFB81BCF512875C4D9F012D3,SHA256=11D64DF8081DF7A99437791334A87E41C7E28CDB4D3DB52DFCEFFB4DEFEED279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:43.891{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=699C563394BA21381A4699022D4ABF71,SHA256=123544462156EDDA4CCC13AAFC5D6EA774ADE1F8178DE7A2EB8A0ECC06008DB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:41.361{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49903-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000350215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:44.932{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9076BE1547C9BBCF5B62A4A484853021,SHA256=AD34EF4D084D22405B454D5C29E2FF9C290352DB4D9DDA23EAE7F0D07F0B1CA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.143{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.134{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.119{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.114{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.108{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.103{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.102{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.100{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.096{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.093{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.090{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.089{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.087{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.086{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.084{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.083{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.079{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.075{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.073{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.069{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.062{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.056{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.039{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.037{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.026{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:44.004{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:45.995{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:45.133{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFDE1DC3479C79EEF45362D18A388F87,SHA256=806F3E4CCA64A97ADFECFDE235FE390FB42925DF48C31FEDF6E3F9A8ED189971,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:45.576{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:45.576{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:45.179{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:45.179{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:46.253{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C85A27854FFE277A07A4F5EE77B5B3C,SHA256=5BC48F3AB77D1E20499395A184841D808FDF49B06E484E44176A27B4D72632B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:45.995{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1065BEC9E11C1C97C46CB6AFE93A0291,SHA256=9DE7DC1457EB9FCDEA1FD6BAF61ACF90173BCF7F1C931BC35A0DCC7356128911,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:45.995{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:47.371{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE9C50451067814BE6E8AF94B59802C1,SHA256=A31D22AC1C2A6662F68420DDFC17D71E391EA71C7B71176563A0872FA3A8958F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:47.765{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:47.765{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000350225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:45.254{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63585-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 13241300x8000000000000000350224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:12:47.448{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8c91d-0xfedbee09) 23542300x8000000000000000350223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:47.063{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1AB85A4853351AF3A44EEC49BA8CF4C,SHA256=2238159C3B493F11B5722DFF82ED68F0B43B58653845F691E7015CE3ADCC96FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:48.464{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EB8A6439B26EBCCAB27C147C206559B,SHA256=53018B7C8122A6607CB643B6DE4600472627662FC6D39E207ECE10A85ED1D86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:48.134{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F7A33D469C10DCD8413C0242DADDBD3,SHA256=B869FEB214131F37ADC1A8A725BE78FE83D424E2CCE96908ED29B8E225A96BB7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:47.306{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49904-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:49.561{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3246FEF435EC9256264D0CFC42EFDF2,SHA256=66B0DC4024F20603D796E3B49429A7BAD410290CD9ADFAAB41E057139E420B97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:49.584{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:49.584{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000350229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:49.159{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F389971D476617A209C339A5CCF50DF,SHA256=801B9B92F3CC41F9A2F984182D8F5858E303E25B008B27099682E6D574533A4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:50.659{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26503DD98C9E94C4AB5DD5559407A1B5,SHA256=D22FF3764905B13A0F1A2790F0A78BF45607848BD8F4D5C7FD61232C184CFB1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:50.241{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC4474A4B9BEC84E6FD6D1478E8A5F79,SHA256=1AC57A8B5D83D6986ECBF155057FC5BA7370816D336306C5165E63CECB3F3054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:51.744{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361E53F275E8247E60FBC68D99273A1F,SHA256=70048A2D2E2E3BD3F9003AB39915EA354CB08671954EB53052E30993714DCDDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:51.338{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA2A14032143AD84BCCF3B386EDF274C,SHA256=4D82B5D2F31AA88864242198F15308629EC4F8D8B2F0A5111EC781AE6173E426,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:51.096{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:52.956{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=037F7099F0559B7D6AD01A5733F07078,SHA256=A6028E742C8DEF89DEF7631A698E84E7315FE7707AB36E713C5B8098C67273F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:52.387{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CD0DD3937068B04A5839ED2703CF3AE,SHA256=E6EA74A1E59420D651FBB67D03CD86EBA94F356BA3A0626FEA80D3886A563CFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:52.340{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:52.340{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:52.251{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:52.251{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:52.120{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000350242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:51.248{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63586-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000350241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:53.359{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C7AF595EF4CD7F7A65D65EC8A157E2,SHA256=3FFA5AFEF5F79E7328E8D2DE2B057612A8E76BF1D9162801BD8DE2B095F683D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:54.410{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B24C9957394F2F8E031EFEDE5CB0B33,SHA256=D8A9C7807092AE3EBE864337EB8B506B9AF85F645A1998FE617AC919FF0E72C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:54.690{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:54.060{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA5456DB5A6A767EFBC04430334A0CC8,SHA256=5854537883F12065765FE1C1D01944F15E1E9C24012795F3E6A2D2A669365F31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:55.434{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B38CA7FC3B6A4E8FECE8B7305352244,SHA256=EB3AE5FDC3C2F06920753BFB0018E00F489A316201571ECF614B2AE8242CCDBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:52.364{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49905-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:55.157{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FE8E1AB0B2287F0C3D048F054EEA5E,SHA256=C486B3AC31A55EF6BB33A26A2466C2A9771DB2C18E0371DA5DF111C7B35B3DDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:56.482{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45D390F54C1F8B6B46905B5750A1A498,SHA256=F6C97A7BFC40F6655889EE5A6D8802B611C5E72B130034EA3E1CBF654C144972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:56.377{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F79FC7A701992ED7B476DCA09D34185,SHA256=B0BCC9641551F2F3CA45B04BA70309290119011A494754E2BC4F0EF9C9DA6C9D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:56.267{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:56.267{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000350250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:57.802{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1CC955AF647820F2AE83C230CDE8E18,SHA256=7503A55E782BD5BBBFDA236DA4888555E97942CC351E066BEF2FD5C4CE6FCE02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:57.554{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=DDEDE98CA036EB5B791B8782579FA826,SHA256=C66072F21258AAE40FFF9003D73256CA28840E4BE9F59B179EDC3354EFF1ED8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:57.554{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D632FC69F584F8FA00E51CCC576FE56,SHA256=7C3783B2625371F7588CD0DEBF7675998E84CBA62976ACA4082E0383AC8EDCC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:57.478{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=160A5935385FBC75E52896D6B7187FA0,SHA256=776B9360EAD33E5F942012D5A260E969B69C420A572ED821B8F72E349CAB0A04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:57.399{E743DC12-4AD0-6323-1100-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=50AB06ABB8D53AA427F4D8D244A26B79,SHA256=2DB7F6A6182949792F2DBCF887F837739B242E376AB86FF19B88D378A24C2509,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:58.837{6820D070-4AD1-6323-1100-000000007502}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=555243C3DDFD4D9B87F15B157C2248E2,SHA256=BCF08547CFB4A06A46C24C69BA23C462B3BE2987E46260A622CB9173B58B7A67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:58.637{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=677F1F938AC0F0E7D766777BC24386AA,SHA256=90DEFA667DCC819B71EC446CB89F8F99012881BD49BE0F243A048292EA519750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:58.584{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E03EB563282B99157DADC273F41861A6,SHA256=AC781F5315648BD90BF425EABF7EB13FBC06D386F51E4FF6E612CE2AAA911F0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.864{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.862{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.857{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 23542300x8000000000000000350274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.688{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A38A410500E5807C7070EBC08F15058,SHA256=4BE1501D3DF177E6B32245B25AFBCC8B3839F8D893BAAEFE7237F7DA4E079DAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:59.678{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A11DEDE79250537E9488C75470219A33,SHA256=FF83C38D1AE7654A9CD15ECA5B6EAF627F6A0384BA5E9FCB1D145DE8940705E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.373{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.367{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.361{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.347{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.331{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.327{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.326{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.323{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.312{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.282{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.276{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.270{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.262{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.253{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.244{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.230{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.218{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.208{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.199{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.153{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:59.149{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 23542300x8000000000000000191086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:00.881{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489A0A27A90674770033F89D2C1E4F0A,SHA256=D9D8F2415CFD17A3AC368210CDF1C8FC0207D9C190C46818FA7CF4FCE52A2447,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:00.958{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C5C0ECB3EB529E966CAEB86E9867AF3,SHA256=3A6A393A827CED3E8FB2386CFBDE504DADCEB2FA881B9D8BB5ACEF285F927DB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000350280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:12:57.231{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63588-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000350279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:00.212{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:00.212{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000191085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:12:58.283{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49906-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:01.994{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B683EB113E535C05FA226561C2B01E6,SHA256=159FE467E8A895BF099BAEBE74A109EA18FD28FF700936881A0D054BF990DC2A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:01.903{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:01.902{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:01.898{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:01.896{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:01.893{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:01.891{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:01.707{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:01.707{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.604{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.585{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.582{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.579{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.575{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.572{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.568{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.565{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.564{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.561{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.558{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.554{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.544{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.523{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.515{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.503{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.477{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.465{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.451{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.444{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.442{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.439{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.428{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.425{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.421{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.414{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.412{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.408{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000350291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.407{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 23542300x8000000000000000350290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:02.059{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A93AEE3E6FB5736328A3E789CDF695D,SHA256=46989B51CF9D69AB42D6BF675A8BB06663D9E292BB3F7B28B2DFF1610FA311E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:03.260{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECE597378C5C990545CA85EE17852A3,SHA256=AA8C4E4F8E35DA2EB51A542DDE6D6FE1D1C6D086C4B3C7822CB89E3752873090,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:03.995{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:03.983{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:03.977{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:03.966{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:03.946{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:03.939{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:03.937{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 23542300x8000000000000000191088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:03.104{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2DF23E85BE8E07C9A6D3DCFC6FE198,SHA256=AC9AE3DE10175654E13197437EA9D983FF27AF92148783F6FB20401ADCADD9A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.216{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F296B773CA54DF39058A25EE1D69A545,SHA256=B13C11C7EC0A6E5EC0D70255A2BFD734C7ED5F05952F1800C5D01EC056D9A361,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.197{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.182{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 23542300x8000000000000000350321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:04.311{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193C0AF14CA5129AEBA264CA7EA923E4,SHA256=D1A55FB9EF0DC7888C9AAB229B2E6DCE7440A13D0ACF599E3E70F144C4879640,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.169{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.162{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.152{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.146{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.144{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.141{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.139{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.134{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.131{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.130{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.128{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.128{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.126{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.124{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.121{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.117{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.115{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.112{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.105{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.095{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.083{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.080{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.070{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.032{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.027{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.013{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.006{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 23542300x8000000000000000191126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:05.323{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D450813BA834DF06FCCD7F9F0C4F8A8B,SHA256=D96FBB1A1BF8DA0E1AF5D73A835CAFAAF749BD4534BC7BC61A9ADAB55AC39CDE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000350323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:03.254{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63589-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000350322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:05.330{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3931F4E48C38C4444742722C95BDCDFE,SHA256=2636311519082E8075E44B39FF341A3CF48DA6730897E2B5BD08A3771D6DEE56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:04.261{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49907-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:06.397{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091214A0CEE17DF3FF741225F8AD7703,SHA256=79B0578895BED6C73ACFB777E3422F3BE22729636138AC0737C26F9F38EBFE8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:06.377{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5273BCCEEF5214EE93DD3244C0CF7D4,SHA256=7E58534C263ABFA2ED46B76ED5057481A332A815D1A9B985A8ACE10C3885711C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:06.302{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:06.302{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:06.302{E743DC12-4ACF-6323-0B00-000000007602}628668C:\Windows\system32\lsass.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:06.290{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1D00-000000007602}1944C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:07.646{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F13-6323-0801-000000007602}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:07.646{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:07.646{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:07.646{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:07.646{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:07.646{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4F13-6323-0801-000000007602}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:07.646{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F13-6323-0801-000000007602}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:07.646{E743DC12-4F13-6323-0801-000000007602}4676C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:07.630{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CD2152D479D860DFBFC5352E8C3B664,SHA256=54D9C58E982DE1D4E4000477D6638AF57385B0B390BFED752E9B10F923503B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:07.449{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AC1E2541850D4E923950906A4D4B96B,SHA256=A72B65173D6DC9ED8BC40FD38DAECA435358D1145DC7AE620B7737457119BC6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.982{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F14-6323-0A01-000000007602}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.982{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.982{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.982{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.982{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.982{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4F14-6323-0A01-000000007602}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.982{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F14-6323-0A01-000000007602}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.982{E743DC12-4F14-6323-0A01-000000007602}4680C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.716{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CD58FF80EF05CEF2CF71838F10F4F2F,SHA256=26350E8C939880EDB3473ABF6178691DFC0033E06AA3461EC2E900FEF52D178B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:08.518{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68627FA3EF562B8C3C60FC582F0888EE,SHA256=4785B32FBC665340903627F820E89E98B39048D39009F23924A85980619B9D5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.685{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=436861D07256FF3742377449F530CE00,SHA256=9EDC34DEE76F2691DDB2212087A11EAC7688A725E40E9F9DA757126D305EF7E3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.497{E743DC12-4F14-6323-0901-000000007602}46725052C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.320{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F14-6323-0901-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.320{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.320{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.320{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.320{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.320{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4F14-6323-0901-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.320{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F14-6323-0901-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:08.320{E743DC12-4F14-6323-0901-000000007602}4672C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:09.798{E743DC12-4F15-6323-0B01-000000007602}32444356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:09.798{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFA119CB3BB4805680DC293936D55065,SHA256=3F959CDA2DD08E827E9F06CE89FBDC6A894D71EB31A722A6CECE0B3980298826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:09.589{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC8A396C266596262D1A57C5FFFC9E1A,SHA256=03668B1348B705B7FCE64D98F96929F217399ADB06384A17D4AED7235C0081B8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:09.658{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F15-6323-0B01-000000007602}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:09.658{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:09.658{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:09.658{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:09.658{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:09.658{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4F15-6323-0B01-000000007602}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:09.658{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F15-6323-0B01-000000007602}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:09.659{E743DC12-4F15-6323-0B01-000000007602}3244C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:09.303{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=A8FD131964EDE80CC4622FEDE20639B2,SHA256=DEBD93B18D020210D6D6F2E0647F0B4BAFA9D07B609749F44CB9DD6C26CD1CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:09.210{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:09.210{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.895{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1892A26B7A9097C50A68D0D24FAB5FD,SHA256=7F57534149E3CB293730A1D9E98801ECE4D9DC3BE4627763DD06242196C0BB8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.848{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F16-6323-0D01-000000007602}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.848{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.848{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.848{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.848{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.848{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4F16-6323-0D01-000000007602}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.848{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F16-6323-0D01-000000007602}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.849{E743DC12-4F16-6323-0D01-000000007602}2720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000350331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:08.381{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63590-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000350330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:10.623{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=873814FBAF376DAE427999CCA8021D74,SHA256=BC8D20D0A4A74746ABBB82C20F8728D6315A04CD2729FC2463E3F8453AAA9F22,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.376{E743DC12-4F16-6323-0C01-000000007602}44844640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.173{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F16-6323-0C01-000000007602}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.173{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.173{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.173{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.173{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.173{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4F16-6323-0C01-000000007602}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.173{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F16-6323-0C01-000000007602}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:10.174{E743DC12-4F16-6323-0C01-000000007602}4484C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000350332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:11.676{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5E1215F970F7052CB5410E1B7DBED6C,SHA256=1D457607E42C42B06E8DFEB06965B9E25964B684211B7B564AC61717E24B2B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:11.984{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7181E30A4FAC0C7A1E06A310D8910AA,SHA256=8FFE9461E740AE6486833A36125F02E022DD3C9EB1F230B9F8ED89B2CA2A3B39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:09.473{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49908-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:11.609{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=5452B7DD668F2570731F57FFE967493D,SHA256=E2AA21BB82A7B06F6F964BE101BD4F28F4DAE7C3D1BD01B5ED6CB70D72D6525C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:11.515{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F17-6323-0E01-000000007602}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:11.515{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:11.515{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:11.515{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:11.515{E743DC12-4ACF-6323-0C00-000000007602}724760C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:11.515{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4F17-6323-0E01-000000007602}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:11.515{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F17-6323-0E01-000000007602}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:11.516{E743DC12-4F17-6323-0E01-000000007602}4868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:11.005{E743DC12-4F16-6323-0D01-000000007602}27204848C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000350333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:12.742{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCE7376BBAB50E3EA567A7B91A88B592,SHA256=6383B26470864C8FB3CE2D066E50E0AA634973C9EB4DBE8DBD591728B91D7F62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:12.968{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919BB2152D7AE6C0704C5FDCF8F8F426,SHA256=807E8BF40DA3415865C8302F39F3044D3C5D81B6DEE8D315A606EF1466C7F01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:13.837{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE50C8690F9F55520EB7BA23169DFCC,SHA256=093EDE49DF8355391FCA34E1957F8EB7BE3FAB916547C4E9883F8B9F5FAAE077,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:14.925{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B08B522720D1E9DAC39D40221BD30A,SHA256=BC04030BA158A5791DFE1BC10CF6CC74C6836018AC5BBD3AC207107B7F5DD846,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:14.068{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=976B60E675F25D7DAAFD8BC4F6D4A648,SHA256=6F08B985BD4C7D449DD08D83179335B3DCD173407F052B57D7CF8BED27A8464B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:14.122{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000350337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:15.991{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48172BAE383E33AA16388A709CCADC56,SHA256=32E6F5ACA3A81947DBF5278CBEE4C82A565C52CD3F914E915331D8D7926E0026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:15.270{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92C49104125222543657A17E76F4550E,SHA256=39D4BC986C2981C6BFA73E7AAC1611F68AD96D1D655E7B0E95F752B1C0F7DC11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:16.369{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02C1FCEF74C0444A6A75567589A5623,SHA256=A23C641CB6B47DEC8D019D73DA4DF17A0908C24925A30EA75ABBC25E68F61FC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000350338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:14.279{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63591-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000191207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:15.271{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49909-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:17.463{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FF8E2BF8A85DCE92897FF963E30C78,SHA256=B9C5760E1198C7BE457DC0769A397C993CAE1FB75F82425F7D1F4CB476DCCD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:17.045{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABE291DBC42D88CD20DB6F894F73F92A,SHA256=B315BE92DB4D2005A07E35E25B26A49B8FFE178A88DAAA9E94B0D809CA71DB81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:18.559{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EB92AE3C7A92BD10C5AACDEE00EBD2A,SHA256=2A4DB55CAD92C95D64CB7F90CBD3ACA064E69B4697EDF7A38FF71F8A093CABF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:18.097{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4752EF8B6CF20503FCDEC8A7A3920FFF,SHA256=0CAD5C94A4D233194DAED6C55CAD2E0D4FD80DA5680702340951884B80817E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:19.659{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F9C930C01961F87E93B3638DF247DB,SHA256=B1511E9DA03F65BF691288C09DE6F5B567023D2403F875A400CD1BA91D5C3309,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.483{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.471{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.463{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.450{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.428{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.417{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.411{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.409{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.397{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.353{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.348{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.330{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.314{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.301{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.288{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.257{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.231{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.220{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.212{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000350343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.162{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=796C2B737149D77A3CF7DC2C0D5A5C8A,SHA256=6CD1C337B67D470E93FDE4F584A076AA247B1690D0D0A4CB73321C0535C5632A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.159{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.156{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000191211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:20.878{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04591A39CCBA765D9234DDC89ED587CC,SHA256=2ACA35DCF44F4BEB085A1A8BFADDF5802F84BF61CF6DE974C3BAF853411D668A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:20.799{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:20.277{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0004DC597DD118ECFCC625D746EB2623,SHA256=D315147BB867597216AD9A3F4C648E79516154773239DFBC480E0717924C03FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:20.047{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:20.046{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:20.042{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000191212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:21.869{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA401FB1B9AC25A56E09F733C2AD228E,SHA256=28ED513A744C33B4D32774674CC5A541623ED0606DA403211116740BC50FC86E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:21.638{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000350375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:21.636{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000350374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:21.632{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000350373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:21.628{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000350372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:21.627{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000350371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:21.626{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000350370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:21.620{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000350369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:21.367{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D91D5F42F6A097C6C39F08E3EAE5D0FD,SHA256=AFE30F3D531B0B1F937C149C1A99F5604D63C71D716D0A0711D4C7F26E19512D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:21.170{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:21.170{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:22.971{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF52D767A3BD8004804CA521FFB4577B,SHA256=ADF67B50FEE4BEEE93EF66146AB233FBD470EF4951BF09EB8C7E0A3F6406F0BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.783{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.767{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.764{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.762{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.759{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.757{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.751{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.748{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.747{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.743{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.740{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.738{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.728{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.698{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.688{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.680{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.657{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.652{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.641{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.637{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.636{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.634{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.632{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.628{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.626{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.624{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.622{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.621{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.619{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.619{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000350384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.453{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5765A8AD082DF16BAF38E4B56D38EC30,SHA256=99E461B622604F936AD88849278DCC2285CD45523B35B1BF6D9164B14A7C6A2C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:20.016{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49910-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000350383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.109{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.108{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.105{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.103{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.101{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000350378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:22.099{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 354300x8000000000000000350377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:19.393{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63592-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000191222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:23.998{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:23.991{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:23.978{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 23542300x8000000000000000350474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.924{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:23.961{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:23.954{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:23.945{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:23.941{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 354300x8000000000000000191215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:20.457{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49911-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000350473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.784{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D7E907D7D430005D10BD8A61D48FBDEB,SHA256=BF836E8B06FD588B3FF705968B2FE556FB06602B9AE79F14964EE822EDE0413E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.784{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEF948A4A49DCBE524271CF96CF44E2,SHA256=C4836CC261F260F8BEEA0E3EE10A9E2714BE64CC9C9EB7FF69D23902025226CC,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.769{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000350470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.769{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000350469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.769{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000350468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.734{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.734{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.734{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.734{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.734{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.733{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000350462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.603{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000350461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.603{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000350460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.603{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000350459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.603{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000350458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.586{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000350457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.586{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000350456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.586{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000350455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.586{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000350454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.586{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000350453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.586{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000350452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.586{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000350451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.586{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000350450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.586{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000350449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.586{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000350448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.586{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.586{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000350446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000350445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000350444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000350443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000350442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000350441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000350440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000350439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000350438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000350437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000350436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000350435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000350434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000350433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000350432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000350431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000350430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000350429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000350428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000350427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000350426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000350424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000350421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000350416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.570{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000350415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.571{6820D070-4F23-6323-5E01-000000007502}7340C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000350591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.991{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDFC8857B8C752139267DE3F7F07BB79,SHA256=9D7D9115F954D5447B0364CC1D822359716BB059E33FC8454B130A72FE5B3703,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.885{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000350589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.883{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000350588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.882{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000191252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.216{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.207{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.176{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.162{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.149{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.145{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.143{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.141{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.138{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.135{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.131{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.131{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.127{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.125{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.125{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.124{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.120{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.117{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.115{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.113{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.107{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.101{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.089{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.087{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.079{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 23542300x8000000000000000191227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.059{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=182E3591750C2A8255C5D3FA558F8BEC,SHA256=95B03B476C1132C48086C2540167C2E4A594174C800AAC0893F17792B9605AD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.054{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.041{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.027{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:24.014{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000350587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.863{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.863{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.863{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.863{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.863{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.862{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000350581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.725{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08EFDA1B55D3CD4E788E8E80783E4BA1,SHA256=D9D17EDDFEA3FC8D974CCEBAB8549ED5E22D76BAAA89C4B593A88E3A96B20F08,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.705{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000350579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.705{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000350578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.705{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000350577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.705{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000350576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.705{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000350575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.705{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000350574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.705{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000350573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.705{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000350572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.704{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000350571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.703{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000350570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000350569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000350568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000350567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000350566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000350565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000350564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000350563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000350562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000350561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000350559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000350558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000350557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000350556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000350555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000350554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000350553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000350552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000350551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000350550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000350549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000350548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000350547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000350546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000350545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000350544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000350543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000350542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000350541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000350540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000350538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000350535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000350530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000350529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.691{6820D070-4F24-6323-6001-000000007502}8088C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000350528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.688{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DCB69A81799666402A5B70690BC3D2,SHA256=FD63507E8569B4091B8E898A217237CF17E749AD39D4E13D4CFBF0A9B4D52E1A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.286{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000350526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.286{6820D070-4F24-6323-5F01-000000007502}76847832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.286{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000350524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.286{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000350523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.124{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000350522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.124{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000350521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.124{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000350520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.124{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000350519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.124{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000350518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.124{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000350517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.124{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000350516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.124{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000350515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000350514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000350513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000350512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000350511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000350510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000350509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000350507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000350506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000350505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000350504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000350503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000350502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000350501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000350500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000350499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000350498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000350497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000350496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000350495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000350494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000350493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000350492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000350491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000350490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000350489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000350488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000350487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000350485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000350482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000350477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000350476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.106{6820D070-4F24-6323-5F01-000000007502}7684C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000350475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.104{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF3BC0D0A034B12415DBE2FA02F8074,SHA256=7A7EB6512C567408671AD3A178010A1981F57AEBD6C4F21B4E1BDCA0D92506E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:25.423{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAC173094BCECF572C59CE0C1B2B3D60,SHA256=95138113043C5CDF9A939F4162E5BC6299934F217B2F5B05FAD532BC9BC8F4E2,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.561{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000350642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.561{6820D070-4F25-6323-6101-000000007502}82367228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.561{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000350640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.561{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000350639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.376{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000350638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.376{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000350637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.376{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000350636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.376{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000350635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.376{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000350634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.376{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000350633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.376{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000350632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.376{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000350631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000350630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000350629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000350628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000350627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000350626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000350625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000350624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000350623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000350621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000350620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000350619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000350618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000350617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000350616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000350615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000350614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000350613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000350612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000350611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000350610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000350609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000350608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000350607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000350606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000350605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000350604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000350602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000350599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000350594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.360{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000350593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.361{6820D070-4F25-6323-6101-000000007502}8236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000350592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:23.093{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63593-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000191255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:26.469{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C8B16A1BC98F82BD366836604331B4C,SHA256=0E37061D933B556CF501CF655ED625CE49C0F59A554540CC6A4F8752EA0AE714,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.932{6820D070-4F26-6323-6301-000000007502}75167528C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.932{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000350753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.932{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000350752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.882{6820D070-4B7E-6323-9200-000000007502}45764716C:\Windows\system32\taskhostw.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.845{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.845{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.839{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.839{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.839{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000350746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.838{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000350745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.748{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9DE13FD78B8FAC0DD41E6C15B610B693,SHA256=5195D383891CAD16CF88294A25A07551EC382EFA385248E08F0708D9876E0DFA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.711{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000350743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.711{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000350742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.711{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000350741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.711{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000350740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.711{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000350739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.711{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000350738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.711{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000350737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.711{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000350736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.711{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000350735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000350734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000350733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000350732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000350731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000350730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000350729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000350728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000350727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000350726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000350725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000350724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000350723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000350722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000350721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000350720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000350719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000350718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000350717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000350716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000350715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000350714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000350713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000350712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000350711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000350710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000350708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000350706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000350703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000350698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.694{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000350697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.695{6820D070-4F26-6323-6301-000000007502}7516C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000350696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.493{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=194CD5A31A1E5E836B3268680F051A29,SHA256=02DFC8E7218A17A199FB007E9BE359E4B8CDE485F55B4D53CF69842DDDA5746C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.246{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000350694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.246{6820D070-4F26-6323-6201-000000007502}73447348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.246{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000350692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.246{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000350691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.092{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39DF198CC02F58C13F0D0B9B032EE050,SHA256=55A8121534A5A60026F2EA18AB5029D40F08495D9BAE7A4FA4B35258C3C86FC3,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.045{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000350689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.045{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000350688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.045{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000350687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.045{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000350686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.045{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000350685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.045{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000350684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.045{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000350683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.045{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000350682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000350681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000350680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000350679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000350678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000350677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000350676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000350675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000350673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000350672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000350671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000350670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000350669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000350668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000350667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000350666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000350665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000350664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000350663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000350662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000350661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000350660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000350659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000350658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000350657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000350656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 10341000x8000000000000000350655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.030{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.025{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000350653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.025{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.025{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.025{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000350650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.025{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.025{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.025{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.025{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.025{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000350645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.025{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000350644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:26.026{6820D070-4F26-6323-6201-000000007502}7344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:26.046{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915155459-017MD5=36EB26F9EED14D2A649109B5B0D3FC1A,SHA256=D5225DBB467937E991D5678F78067E4612BF477D9EC2143F1C43E71004CE921E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:27.573{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFD27BBEB86C5CDCB41EC1EDD23ED75D,SHA256=7642CA79AFBAF8E7CDE61B3E203F5F8D6C09972190EDEAA97BEE4B1B8F150E1D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.412{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000350808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.411{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000350807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.410{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000350806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.212{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000350805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.212{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000350804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.212{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000350803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.212{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000350802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.212{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000350801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.212{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000350800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.212{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000350799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.212{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000350798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.211{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000350797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.211{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000350796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.211{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000350795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.211{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000350794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.210{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000350793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.210{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000350792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.210{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000350791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.210{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000350790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.210{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000350789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.210{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000350788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.210{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000350787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.210{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000350786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.210{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000350785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.209{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000350784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.209{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000350783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.209{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000350782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.209{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000350781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.209{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000350780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.209{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000350779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.209{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000350778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.208{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000350777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.208{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000350776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.207{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000350775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.207{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000350774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.207{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000350773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.206{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.207{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000350771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.206{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000350770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.205{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.204{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000350768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.204{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.203{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.203{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000350765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.202{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.202{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.202{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.202{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000350761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.202{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.202{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000350759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.201{6820D070-4F27-6323-6401-000000007502}8860C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000350758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.200{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BE8C2E29CD85A3DE0CE50770006F616,SHA256=0873BFE6459E03E6DB56EDC58D09DB46A30B1E72435FE2BD1F43D050A8E43697,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:27.180{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D050729553CA7D7EA64F256A8F0731,SHA256=C4A029B556B9540A3F210B96D7D1F2F74F37A0718A01C98D054CDFAAA6D34C42,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000350756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:24.415{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63594-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:27.043{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915155457-018MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:28.664{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96661FA9E08DF6B5926A1BF92F8E9838,SHA256=13A844F27825B2AF06AED38885A18AA69086B2352CEA09A0A0211569334F25A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:28.296{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE387C8605216D86EA27E86D8DD99F48,SHA256=F5B6AE402BF0FFC3D9045B7C651BE77B3144891AEA1DDED8CBEAC18053DD4816,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000350811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.838{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63595-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000350810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:25.838{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63595-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000191260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:29.759{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=953FEE28581460B327C6AA6D32B40CE0,SHA256=350545A3772DC4638ABEBB08C879DE7DA218DFC9BD424771891CD68B29401EEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:29.251{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62467436F1FC7E82726C9118EF61B152,SHA256=12C60D32A76FEABD278D7AE205584CBD68428878410C6F292E3FBB0AB884E9C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:26.393{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49912-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000350815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:29.015{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000350814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:29.015{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000350813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:29.015{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\ieframe.dll11.00.14393.5291 (rs1_release.220806-1444)Internet BrowserInternet ExplorerMicrosoft CorporationIEFRAME.DLLMD5=6329F4135E892B4DC3169BEA689D89E7,SHA256=E4EF2B0881E78EFA1CFD0987EF1259CA0ED7C9BA4429BCE3C63401EEACC79CE0,IMPHASH=5917C913C5FD89360FBD7FB6D32C83A1trueMicrosoft WindowsValid 23542300x8000000000000000191261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:30.943{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F13F5281724F823CAF4A055A187F73,SHA256=BF500CAD9919CD3EA06E23F605071BF2AE384C76A8CF3D35C49F9BA3E65FA51A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:30.333{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91E17A4CFC9213EF17AFE15178771EFA,SHA256=54AE93573275E5906D7774635FBAB569F1FB71D6B6EC559B84B03A1B5E39F0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:31.386{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCF2DEA52E474D23D9E77E3B648D55B,SHA256=726687ECD4E3CFD1C7C915D3A8CC387CC609F9FC8BFABFA526985F370E014F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:32.473{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15ED056008948DD0532A0E24AEF14CC8,SHA256=F512E3A21B949A60E83793A2007DD62AC008092AA94A512AB92DF479EE9770EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:32.049{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA0C1F9E9F540E0CB3C58130F0CF2F1,SHA256=996F24DC27C0BA08664713E938F46BBD85613BB3D5378A63A415E91421D96E3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:33.524{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=402CA1BD0C70CADDB905368135C16727,SHA256=A5D8664C6460A52B061A68473EA78EE126ADC36E1EAD1DEF148C49D39DBB73E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:33.145{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E10984DA344EEE9A414DB394A295024,SHA256=4B7EEA35DA4C9F626E74C198CB2C5029FB614F3C27A3238A953EC538EB2D5770,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000350820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:30.261{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63596-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:34.350{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED988575053708844B51E75172380E20,SHA256=D37B1596F715CCC15095A16C5B428734764C58F55711E75B7B91E12992BBBEB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:34.578{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E62746259C04C0C17A56255C9E8E799,SHA256=3533202FAEB3BEE5579968D92724A24463FB66B9037EC24CDFE0FAB36DD31BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:35.664{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECBE5D257FB9251E48DFAC3BBB723DEC,SHA256=ADB5EFE3A52B33C02D688D5001B0C3F3DC3F60984BDD0E556D6A7F521021604D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:35.473{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32A94CFBAF06B1999A2148F489A95225,SHA256=8D754CC16A709FCDDC4F8C3C0F556E0B0CC61947D0EA1407B17097CD213BDAD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:32.380{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49913-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000350824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:36.730{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6795627956C1F9947F8899818FCAD09E,SHA256=BF7D92982B25056914C60C270BF98DDB68CB8266C7000B3CF46605E0FF25BC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:36.476{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FA316462661299455E2FF3668CCF46,SHA256=46C09E8850CC59A0D7C6691468E833B70D58291D700531EBB9C9055E502F8E8A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000350829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:37.816{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\globinputhost.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows Globalization Extension API for InputMicrosoft® Windows® Operating SystemMicrosoft Corporationglobinputhost.dllMD5=B92070EB12AF4C292155EBB155A0B6C3,SHA256=F155CFD56DC7199F16377259C55C0E8A26662A81588264F01D0E1F1387721DDC,IMPHASH=AB0E9B104017117F7BE18F3C6AAC279AtrueMicrosoft WindowsValid 734700x8000000000000000350828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:37.816{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\Windows.Globalization.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows GlobalizationMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Globalization.dllMD5=D92AABEAF72AB2FB3B2E2F911477039E,SHA256=300FEBB1EFE1EECA4F535A828104A8F4AEF8FC4785A0456B2D8DA76E7EDAFC96,IMPHASH=0280A5811869EFED56B453A140477D51trueMicrosoft WindowsValid 10341000x8000000000000000350827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:37.816{6820D070-4B7E-6323-9200-000000007502}45764716C:\Windows\system32\taskhostw.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000350826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:37.785{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54A18FA2753F3CF7F54A019CE962F3C,SHA256=900E23BB2239E9074C88031FE01776CCB0355914AA578B2C007AAAACD2A5F835,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000350825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 16:13:37.733{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXEHKU\S-1-5-21-2725908065-3830167236-2451934224-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\RunMRU\MRUListefdcba 23542300x8000000000000000191268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:37.595{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27E8CF2E3080D6C7D1869602428A0EAB,SHA256=4552F939D611BC5B28F3B458CF3DE163D0C6E408EF6FF7C20BBE2DDC3DBD50BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:38.836{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2530C3FE99BD173B482BC3D40FA5A0,SHA256=39ADE8F4A95FF0D6FB78E745361D80B0605C0FB93A59134A47149C5BEC84761E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:38.801{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3168A8ED243E206A05ADB4DB0DAAB8E,SHA256=FD0AEB5999344CC2B2329BB0582AABA40AEC9C4E04DDF66CF7E7746A9E9157AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000350831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:35.371{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63597-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000350830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:38.054{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\samcli.dll10.0.14393.0 (rs1_release.160715-1616)Security Accounts Manager Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSAMCLI.DLLMD5=AEF1161232D111EEA93F64B203F131AE,SHA256=C1DA3DF389A414AAA26FEEEA28F35AAC202CE3A5CC3AF26B7C0C14EBBC2157F9,IMPHASH=D27BDFF964B5FDB8A5E9B0599333826BtrueMicrosoft WindowsValid 23542300x8000000000000000350855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.887{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FF40EE46522D44A6B7823EEB5EDE9D,SHA256=4CE4A1AB5BB9FA750934B0C7DB37695F617165E8AEB200E5BB30DA1FF4CCE0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:39.900{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B7E1B1306FB790EBC430AEDC55105DF,SHA256=6EF0BEB7ECD8857F749CF98C1D47E1DC35B70F21E484A785F240A2AE679D6A36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.828{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.429{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.421{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.414{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.404{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.394{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.389{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.386{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.384{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.368{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.316{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.309{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.304{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.295{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.286{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.279{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.263{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.249{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.230{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.212{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.149{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:39.147{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000350860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:40.959{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453358044A63A9444D8335A4BCDBAE2B,SHA256=0B7D5125DC3754EC197F48092060FECF2A2CC9FAE2777C719BC4BA93BD1FFB94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:40.989{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF314BBDB103BFA8B53FCEBD83E18F4,SHA256=34617E2608138AAA49CCAE7164A5F53D045F12F6142D32AADB674AB96185C7DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:40.814{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915155514-017MD5=3EE9864ACDFFE78A8B2E0DEDF704C720,SHA256=3E9075B80C33CFA58EAF977E4450D367AD693E429428DFB55B91DE7FD240E49F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:40.071{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:40.069{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:40.065{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 354300x8000000000000000191271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:38.334{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49914-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000350861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:41.792{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915155511-018MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:41.845{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=251977D8A25FFFC51311BE67809F539A,SHA256=D69E423095FCA7FBF2EA827324EF553F13BB0AC445ED8D5D1A32C51F2DF1DD15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:42.095{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=286D6962E9BBCB7CB5B45DDB6EAC9206,SHA256=EB4E4B692DCA0F26E28D95B34F6EFE2E94221934268EC5C3AD737BEF6BAB323F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.804{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.787{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.781{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.774{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.771{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.768{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.764{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.760{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.758{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.753{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.749{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.748{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.738{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.701{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.688{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.671{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.630{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.623{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.616{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.610{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.609{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.607{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.605{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.603{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.601{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.597{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.596{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.594{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.593{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.089{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.088{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.084{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.082{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.079{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000350863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.076{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000350862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:42.007{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE30443985EA1FDA91E21395A54091EF,SHA256=C03F264F089C9974002D2C4032C10ADB539CB9943B68345B97801B34958EE07C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:43.995{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:43.984{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:43.973{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:43.968{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:43.961{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:43.954{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:43.946{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:43.939{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:43.936{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 23542300x8000000000000000191275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:43.300{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BAF3AD4FA6D92AFCE9B73D596AF5CA3,SHA256=1A5E1057F98FDF4269EA7BCD7C2DC0BAD9593DBD3C85B45B34683F6FE72DE770,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000350933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.943{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.942{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.642{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.641{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.640{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.640{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.640{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.640{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000350899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:40.417{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63598-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000350898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:43.078{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2C80A50BC7E106D25847E23C744EF38,SHA256=A3A2D2A3E356399F74AF666E9768177B670123EF8FB7002438E45285F6F4D88F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.428{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA996BF83D2020DA1E178CB7E984982,SHA256=95EDDE32AFF7CBFB17E09AE2733AA2D1493B2D2D3D271FAEC8245712FD4BE9D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:44.127{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE5D68798D5281790840CC2B0669D92,SHA256=9EB74B0C6BC6E833FBDDACF7A90596AB12E4D17E26092DE6B933EF39A17EF537,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.181{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.170{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.152{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.145{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.136{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.129{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.127{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.122{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.121{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.118{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.115{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.115{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.110{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.109{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.107{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.106{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.102{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.096{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.092{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.087{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.078{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.070{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.055{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.048{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.035{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.007{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:44.001{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 354300x8000000000000000191314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:43.472{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49915-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:45.583{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C3FA8FF7E0862CB2113532DBAABC8A,SHA256=490ABBAC4F5AA0484A3A4B9EA55D7B2BFDB5EBF04CB5577434D3CD16ABD23163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:45.227{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC561535FA2ABDA94D476E5BC1FF827,SHA256=09BB743C9AD7B9455F1D719FD88CA42CC48B044C8D0CCE387320448591857EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:46.685{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12A6B1D13DB23B0C44005EB487FBFF51,SHA256=B0876F7F29DE6D21F4256E35F8999038159B8313942FEF0604A4C344F59BC0BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:46.263{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14170A79EC6F4451F09C192DCC0F98C0,SHA256=1589BB024F191554AEF7679C270F6E3D2E952FE51EFFEB950CCBABE8C1BC22AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:47.910{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CBF621688DB7DF78860BC7E3504BCC2,SHA256=4999DCB79A82117A3A9072A335141F26EF658507C5F3655A817200B0B2F1E8E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000350937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:47.299{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8735E0B39344D785D05C816915B9CEFA,SHA256=F55BCF47398115F994D2A57034E5088B7475D182E36F20FE135F3EAFD1FB6D50,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000350939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:46.400{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63599-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000350938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:48.332{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DF8163BF23EF96A03E7B68C64009583,SHA256=049698BA4D51354B0AE47869BEDFE15D837EAA54588B553DFD914263EB0C1837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:49.103{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7E14BCEBB2095699A5FB0AECC357FD6,SHA256=0E8F99C844F12ADF5EE8BE5F69CCCCDA28B85ECFD5832248167599DDDB8EF7A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.873{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B6FE78B77B27710926A788A802AA0A,SHA256=228D8CCCB7904F25DF54C9CDDCA93093985F0997ABE78E6D12EB818152E72292,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000351010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.726{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000351009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000351008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 10341000x8000000000000000351007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.726{6820D070-4F3D-6323-6801-000000007502}71606476C:\Windows\system32\conhost.exe{6820D070-4F3D-6323-6701-000000007502}7032C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.726{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000351005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000351004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000351003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000351002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000351001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000350999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000350998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000350997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000350996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000350995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000350994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000350993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x8000000000000000350992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}62885912C:\Windows\system32\conhost.exe{6820D070-4F3D-6323-6501-000000007502}7040C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000350990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000350989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000350988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000350985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 734700x8000000000000000350984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000350983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000350982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000350981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000350980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000350978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6701-000000007502}7032C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000350977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000350976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6701-000000007502}7032C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000350974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000350973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000350972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6701-000000007502}7032C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6701-000000007502}7032C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\XblGameSaveTask.exe10.0.14393.0 (rs1_release.160715-1616)XblGameSave Standby TaskMicrosoft® Windows® Operating SystemMicrosoft CorporationXblGameSaveTask.exeMD5=7E74F3C9FC2A07012E130A3F9D0EABD1,SHA256=BABFAEE679E6005D49F7C314BA7FDA93F31B447E8D799256CCBE8B07252B726A,IMPHASH=4C61F9F9A9F83764F7901F30F50348FAtrueMicrosoft WindowsValid 734700x8000000000000000350970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 734700x8000000000000000350969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000350968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 10341000x8000000000000000350965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4F3D-6323-6701-000000007502}7032C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000350962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4AD1-6323-1500-000000007502}12202256C:\Windows\system32\svchost.exe{6820D070-4F3D-6323-6701-000000007502}7032C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.711{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.710{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4F3D-6323-6501-000000007502}7040C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\XblGameSaveTask.exe10.0.14393.0 (rs1_release.160715-1616)XblGameSave Standby TaskMicrosoft® Windows® Operating SystemMicrosoft CorporationXblGameSaveTask.exeMD5=7E74F3C9FC2A07012E130A3F9D0EABD1,SHA256=BABFAEE679E6005D49F7C314BA7FDA93F31B447E8D799256CCBE8B07252B726A,IMPHASH=4C61F9F9A9F83764F7901F30F50348FAtrueMicrosoft WindowsValid 10341000x8000000000000000350958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.710{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000350956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000350955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000350954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000350952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4F3D-6323-6501-000000007502}7040C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000350951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000350950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4F3D-6323-6501-000000007502}7040C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000350949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4F3D-6323-6501-000000007502}7040C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000350948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4F3D-6323-6501-000000007502}7040C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000350943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4AD1-6323-1500-000000007502}12201384C:\Windows\system32\svchost.exe{6820D070-4F3D-6323-6501-000000007502}7040C:\Windows\System32\XblGameSaveTask.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|c:\windows\system32\UBPM.dll+a731|c:\windows\system32\UBPM.dll+f954|c:\windows\system32\UBPM.dll+cd5c|c:\windows\system32\UBPM.dll+d325|c:\windows\system32\UBPM.dll+dc25|c:\windows\system32\UBPM.dll+e8fd|c:\windows\system32\UBPM.dll+e14a|c:\windows\system32\UBPM.dll+dda2|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+389a|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b65|C:\Windows\SYSTEM32\ntdll.dll+6586d|C:\Windows\SYSTEM32\ntdll.dll+656d0|C:\Windows\SYSTEM32\ntdll.dll+3a800|C:\Windows\SYSTEM32\ntdll.dll+1ed13|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000350941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.689{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000350940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.369{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26834C801A09C6FADE07AB54ED92E71,SHA256=C2AC930AC230B9384BCFE278FB721F400122ABA8DA61C8FC472288F5F7E900A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:50.419{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE6367684F44FB3E7EED34365D5091CA,SHA256=4C8DD306727B60C4482E9CBA96C38658924270663E215FC636458E1D1E897244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.760{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D3F2420D16349141F8F18DF4E9566BE1,SHA256=2C6D68276A5D62A722078E8C976D1F74F9A21417DC210E9C4742BA19AED912EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.429{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F4077DDBB67DB7652CD28A19BF95ACE,SHA256=654966075EF52BA94319CF708549A80DF12BC97895F715FB74A7AF1741DCAA0B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000351031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.048{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000351030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.064{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000351029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.047{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000351028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.063{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000351027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.043{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000351026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.062{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000351025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.040{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000351024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.062{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000351023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.961{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000351022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.945{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000351021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.961{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000351020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:49.941{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000351019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.074{6820D070-4F3D-6323-6501-000000007502}7040C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000351018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.074{6820D070-4F3D-6323-6501-000000007502}7040C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000351017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.063{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000351016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.063{6820D070-4F3D-6323-6601-000000007502}6288C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000351015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.053{6820D070-4F3D-6323-6701-000000007502}7032C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000351014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.052{6820D070-4F3D-6323-6701-000000007502}7032C:\Windows\System32\XblGameSaveTask.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000351013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.047{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000351012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:50.043{6820D070-4F3D-6323-6801-000000007502}7160C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 354300x8000000000000000191320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:49.435{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49916-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:51.526{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C09A8F7484E6A2BA0C2D578F7F74F7B,SHA256=98B85B544C9AAEFADD4E4EB90CFAD9F4CC822E7D47C18ACA1305348A86D51146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:51.545{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396CD9C571C9F0FCA79C79F2CAE75547,SHA256=AD6C27E2F065EB9A8947A3C715002E0FD628163B19023124D78770C47E20031D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:52.741{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2370EFBE0F082CCADE8FA4799C79C8AC,SHA256=702193D30929B45D384C75C31B5A5B67FDF8B70EACDDEEFC862E67B4E034AE0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:52.847{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=7FB1D1310ECCE1ED3BFAC070A84E9AE9,SHA256=A19B19011FAB365889FEAD5429DBEE32D0206B094900980F33379255B31A5A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:52.602{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00DD4982B0A5BEE75AFF5CDE503199BE,SHA256=8394A4DC51B92306C2A7F6E62BC87A0B3E28BE54BDA5F5F4705AD53156ABF37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:53.833{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932457102D4F7F7F54B51DB6B6BE489B,SHA256=3095E23FD7180240595B3C91274A1089F0FF6CE59BD91B707A9FED7E1E2672D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:53.652{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F17748C3ABB0067852754ED166101DE3,SHA256=A58E49B23BF0CF59FE66E945D237105BE04BF8435850CD9301627F5BC64DE7E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:52.238{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63600-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:54.693{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56C6FA9BBD7B76A5E9908ED93E5999B,SHA256=993A55CF12E6B5BF409D34C457EB95E70BCE14ED9E974C25CB2565F94435C0E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:55.751{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=602CC1080A06BA874A9194318CE2B795,SHA256=0F24B1CB691553461DBA514FE084297B2E49370DD374E4E301278F6966923E38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:55.037{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=813F23A2B550E8D9B152F3AC5D96AF1D,SHA256=C093DD8D69176953B019A79CE67DC9007404D2CC56F0CDF156B7FB1B20E71C17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:56.984{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=8DE3AC398F3412417154DED8FA99759C,SHA256=E76B29D74624F6F34CD7E88586EBE56D4528BF69AD502AF11C04955FFD3829A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:56.799{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E9E31BFC3A5B2667D8C14D7356102FD,SHA256=8B79F2DA9EE2100DDCC2D312C429CB7D54040BE1FA4F82DA92290B89FFEB1ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:56.247{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50B37E3F98CEB48F4988CDD192C8966,SHA256=D18836D6BB007E3B831672579A2D72B350A8BBF3FF83BCDA5169EF84E2834488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:57.834{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47E8FD7BD0D627DE0B161D463FB69DF4,SHA256=6BB545C770CCDC540ED645FE513EB12229E6F4A80BBAC8A831DDF5E9B5279F78,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:55.404{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49917-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:57.469{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57FCB404BF73D26E84F133E68ED63592,SHA256=7341501B9E14872EE914708F767CAC7D01A2353CB4A412F9D42D9149652BAF98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:57.406{E743DC12-4AD0-6323-1100-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2A4671681D63F2238809BDAA1D99BB36,SHA256=55CCEB769B88DA68919FF707002E98E07BAD66A169FAD98561483456062A3165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:58.887{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A32B3C4AA2C8BEDED1C202ADE093A621,SHA256=ABE41C0B3D0DC37CA9A178E6F821386C65ACDC888FF9D9367B8E4A5E4F1F92BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:58.840{6820D070-4AD1-6323-1100-000000007502}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=01FD6726A59DA0A4FC4A7D8A95EFDF87,SHA256=D9F45186862F41E7505C1F7B107E38F8EEACF29551079AE617CC71315ECAA392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:58.558{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907D5252C3E4BB41FA5F5E12314B3BB0,SHA256=4AD372D61EA40A869259F356F4A3E304D7B8B1E0DCA428505BDE7215BDA15271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.929{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B26B1B6FD8F1C081D7D5255182F16926,SHA256=493FF250FAFF47DE35B928C2A55E9D274AC229FBC5CAED016AE289C2CCC9A813,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:13:59.764{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C80782C16CCECE71299509E14282590,SHA256=5A6625AF8D586D4425C56881A0D73A1DA4BFE5AA84BB6CAD5DABB0F27BB9671F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.827{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.825{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.820{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.373{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.363{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.357{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.346{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.339{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.336{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.333{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.331{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.322{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.297{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.292{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.287{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.275{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.267{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.260{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.250{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.241{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.229{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.214{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.154{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:59.149{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 354300x8000000000000000351074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:13:58.246{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63601-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:00.849{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30CD4C8A6A53ECDF30960468CA38AA8,SHA256=D8D3C3B90E2433F01920CF74668EE7017A58B7AA749E87EF45C924FE8F84190D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:00.311{6820D070-4B7F-6323-9900-000000007502}29724976C:\Windows\Explorer.EXE{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8013285BCD8)|UNKNOWN(FFFFD9E122A77E08)|UNKNOWN(FFFFD9E122A77F87)|UNKNOWN(FFFFD9E122A72611)|UNKNOWN(FFFFD9E122A73FDA)|UNKNOWN(FFFFD9E122A72296)|UNKNOWN(FFFFF80132571503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000351072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:00.311{6820D070-4B7F-6323-9900-000000007502}29724976C:\Windows\Explorer.EXE{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8013285BCD8)|UNKNOWN(FFFFD9E122A77E08)|UNKNOWN(FFFFD9E122A77F87)|UNKNOWN(FFFFD9E122A72611)|UNKNOWN(FFFFD9E122A73FDA)|UNKNOWN(FFFFD9E122A72296)|UNKNOWN(FFFFF80132571503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000351071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:00.311{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF12217a.TMPMD5=AE83E3D1BED7E22F099EC37882555B7F,SHA256=19C20C1DAA5B1C1F7E9A0561569A10ABB7DBF1B544D26F74C2B5990D9C688508,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:01.893{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:01.889{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:01.880{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:01.875{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:01.870{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:01.867{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000351075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:01.013{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F2D96E3BF86AF5F63C7AEDD6975B072,SHA256=E46DBEAF83ABD60B7FD5ADB953ED9BBEB53E47C4FBCC793A3D09C3CE1D95E0CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:02.067{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CC986DC47BA4CB2D88ED566397F7763,SHA256=615CDDDD59C75DC96D198A8DA613304E1A8A508CB33F55099FAB9AC830255DE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.576{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.561{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.558{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.555{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.552{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.550{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.542{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.538{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.535{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.532{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.530{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.528{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.519{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.489{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.482{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.471{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.443{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.437{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.430{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.425{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.424{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.416{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.413{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.410{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.408{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.404{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.403{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.401{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.400{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000351082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:02.014{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDFDBA8353035D6B23C8E25ABA2323B2,SHA256=B3292E34856999F389A839112B9EB900DB3C8D2708EBAC5D3C9491A833E7F9C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:01.427{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49918-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:03.278{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171B4503987E5B54CE9388F6D1CD7DB4,SHA256=9F071E60D4A72FC884F6DF6328D79E4CFD6625A4D2B643F6C89661C9A29FBA42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:03.469{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61DD77B3804D47D7C309B171D3A2CE6D,SHA256=0163FD6421E97B55105CEDC8DC1A7A552E062B12587BC2814DB0645C000D1E21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.630{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9949A58B3591C1E5DC3B40141BD8623B,SHA256=B7454AE3482A7EC8E1DFD8970D3D1098BFB0482D5DDD8E091872CF372A460BEF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.307{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.298{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.283{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000351114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:04.486{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFD116F22E1B3504258F42A9B4110042,SHA256=B6C11EF098DA870383F409BBAE4F062EDCFCD16946643649CA1C283820970633,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.272{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.257{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.252{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.248{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.248{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.246{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.236{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.232{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.232{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.223{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.221{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.220{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.218{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.215{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.205{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.203{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.200{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.194{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.188{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.167{E743DC12-4AD0-6323-0D00-000000007602}7885104C:\Windows\system32\svchost.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.159{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.156{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.146{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.123{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.118{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.112{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.098{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.080{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.070{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.060{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.050{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.027{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.010{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:04.005{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000351113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:04.188{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:05.352{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEA5EDF558BA8D8AF5A7CE2B0AB1AED2,SHA256=C53A6BDE0CDA583ED60D939877A17E72FC55F1A5615CEFDC468B0E39B44A7F8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:05.588{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC1BA208360B768C02D022A56E7C4C0A,SHA256=0FA5922F64847667BF6934FC3C329021D7FE221896B02AC8DC8DD4285C39A8A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:06.551{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19EA1F3C54E72CEC774E94B22EB20835,SHA256=815D963CA869D253C59E0A4B81AD881C77F3CE568E2C8A0C496DE411F42D2AD7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:04.221{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63602-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:06.654{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC1A6688FCC01560893EB6B272418F5,SHA256=B058ACB0F4005EE6C3DFFE01A48A0290EC01FFE50439D8D8752DA2D9FD26AD71,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:06.304{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:06.304{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:06.304{E743DC12-4ACF-6323-0B00-000000007602}628668C:\Windows\system32\lsass.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:06.291{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1D00-000000007602}1944C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:07.658{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F4F-6323-0F01-000000007602}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:07.658{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:07.658{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:07.658{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:07.658{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:07.658{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4F4F-6323-0F01-000000007602}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:07.657{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F4F-6323-0F01-000000007602}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:07.657{E743DC12-4F4F-6323-0F01-000000007602}4176C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:07.641{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66FFBA27C793E731E164E4E477F9BDD5,SHA256=B1B915010CFA0C4528E00771CDA19C3460112D53C91AE4E24D52D513DE46DEA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:07.691{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFCBB45A3844A4E6CB3ABDF3DD095E4E,SHA256=EE1D7338E3BCF4FB8795752C40584AE5F0CDA9CAE55FF284ADF1FB386E73EDE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:08.738{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56F5854C28A9931FBB66B46909F84A6,SHA256=2B434488D5D76410C30F7576D1D7FAFF1EA134F39B1BF13929DB3EE6B83155E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:08.738{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E33187FC8D729C63723F84A5629A65A,SHA256=3146396D4899031034947B8FD73E2D41BF2EA12F1CDB6A47D29A14C5BB6A5D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:08.725{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=187BCC83923B06CB0EA7A22BF2047F32,SHA256=EDDEE777138BB81D0C07AF6D06FC3E5EEF65EF4264F2712DC32B921D3C87D59E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:08.519{E743DC12-4F50-6323-1001-000000007602}4856908C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:08.342{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F50-6323-1001-000000007602}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:08.342{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:08.342{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:08.342{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:08.342{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:08.342{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4F50-6323-1001-000000007602}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:08.342{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F50-6323-1001-000000007602}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:08.343{E743DC12-4F50-6323-1001-000000007602}4856C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.921{E743DC12-4F51-6323-1201-000000007602}27923104C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.827{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF065DF0A54EA2142B25B6CA4B98DB5D,SHA256=3B2096D3CF9D54F960A2226E33ACE52049F62A52E26F87E381A3137E059165C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:09.795{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C255897F9A7664A99AC3AC11ECA4540,SHA256=DB594FEADA7DA283D6FDAE6A329C6033B068CDBA8D2D803646FEE63C17855A8A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.687{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F51-6323-1201-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.687{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.687{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.687{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.687{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.687{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4F51-6323-1201-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.687{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F51-6323-1201-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.687{E743DC12-4F51-6323-1201-000000007602}2792C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.186{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4F51-6323-1101-000000007602}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.186{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4F51-6323-1101-000000007602}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.186{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4F51-6323-1101-000000007602}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.185{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4F51-6323-1101-000000007602}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.181{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4F51-6323-1101-000000007602}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.181{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4F51-6323-1101-000000007602}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 23542300x8000000000000000191406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.168{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=D7C501F5F9F682EC996A1E214361FA04,SHA256=2307691EAF02299D26EF40F9DDF148B2D971055AEE163EF6CB380C7ED6878933,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.019{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F51-6323-1101-000000007602}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.019{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.019{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.019{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.019{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.019{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4F51-6323-1101-000000007602}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.019{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F51-6323-1101-000000007602}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:09.020{E743DC12-4F51-6323-1101-000000007602}228C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000351121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:10.845{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591A5599A14FF95EBB9AC03E38E8E070,SHA256=24E6E62F2069645386A9D2B17058B64CFFBE6D223FD7E773100E27AB902B9BA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.949{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F52-6323-1401-000000007602}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.949{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.949{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.949{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.949{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.949{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4F52-6323-1401-000000007602}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.949{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F52-6323-1401-000000007602}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.949{E743DC12-4F52-6323-1401-000000007602}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.917{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=212DAA89EF00F9CB79E640324BD0B496,SHA256=30CFB87777DC74B94F2B5F1F705334642DB485A6AEFC560DBD119DB11E4B9E80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.476{E743DC12-4F52-6323-1301-000000007602}1364352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.287{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F52-6323-1301-000000007602}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.287{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.287{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.287{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.287{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.287{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4F52-6323-1301-000000007602}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.287{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F52-6323-1301-000000007602}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:10.290{E743DC12-4F52-6323-1301-000000007602}136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000191423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:07.305{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49919-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:11.882{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=296743590E52488C12634A134F5EE4B6,SHA256=54EDA8BB28506C4755489CB1C72C664FFAD33C15F25598D78C51BA76297BA6F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:11.626{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F53-6323-1501-000000007602}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:11.626{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:11.626{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:11.626{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:11.626{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:11.626{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4F53-6323-1501-000000007602}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:11.626{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F53-6323-1501-000000007602}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:11.627{E743DC12-4F53-6323-1501-000000007602}4532C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:11.089{E743DC12-4F52-6323-1401-000000007602}37444116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000351123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:12.931{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29FD76ADC4AD9835CE23E1ACCD90441,SHA256=099028FD2A5002EDF0CE6AE54373A8AEDB6BDD6B4CA645C82A10C97487B12EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:12.017{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=76D60B1B89FEF9264EE8084670FE7EA2,SHA256=29D8D1FB9B6508C36E6EFE506416128435FCB98211049146CC283B70FA2175BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:12.001{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D92B41AA1DDDF379877DC8EC60545444,SHA256=82CD99DB0DC72AE49D94FB1CDF700928632E128211F0F44297DF08616EB6BFE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:13.966{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=871009989D4EE69B93AEE0E1850C7A88,SHA256=F9807F98D03144868E4397BE79A7F330AE0BABF7914519E16D943D8E80C9037D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:10.251{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63603-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:13.104{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A8F88CA70C6B0582CDDA709C27119F7,SHA256=8D5A80698141EDACF4AA7EB418727C1CFC9E41AB01D3C902D59572C3561F7D0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:14.200{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984EDB7F6BA4D9F09287E57D108EF2C9,SHA256=127AE9A6C052B43A3E6E7ADA56667AFD33A502F09519417594B4E41C9D420954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:15.286{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94DC01FD12180781D9E13C14016EACB2,SHA256=9BD1FBFCD560F494296FBDADC7F8A85D8440E999690F03553054FB5318A44449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:15.003{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F9DEE085AB83842C72F99710202C7D,SHA256=FA29916E86496CCA2E5308064416217FC2334517FB2E1AFDAA7B1F6FC950AF33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:13.270{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49920-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:16.492{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3107B8D92DB3A8816505896667560687,SHA256=A6DED2666659CACD9AE23C3A69B54043578EADF18E17C34A8C9976F73605DCFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:16.035{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82B51AAB7B8AEDB905F1BE0864B9FB08,SHA256=92074BDB60972CA238465AA31492E99BC4A8A1145A6D75FF9D34FE76419A0A52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:17.601{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68581DA0EF4917209ED5D1265C495D84,SHA256=F77AFAFD2EC23228CB49FA91923B4E7A698568E94F78516C97E5F15332EF3545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:17.089{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FB62D7C1D326696AE689343553E9722,SHA256=49629ED22D56B526067422E6716AE897C7C603957B98178205ABC617AFA68B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:18.676{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D44305B97938C6DB0F4C3B992696C0A,SHA256=1EDCBC8A47E786F5B092BDE38C48353ACF2FE2506B8E080C465815D44383E064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:18.123{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113CF282A461408F5299457743FDA88C,SHA256=73AD44258D44D63850AED3AF3EE5B43E1B8588D51E8E92939C34E5B9939D81F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:15.309{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63604-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:19.776{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8E149D9B1EA3A75580C84DEBCAFE96,SHA256=37A431393608B2FAAE0048487B4972FC7B3E9E74673A6BA6E8436782B40383F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.846{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.844{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.840{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.483{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.478{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.470{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.460{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.452{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.449{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.447{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.439{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.423{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.397{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.387{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.382{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.373{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.364{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.352{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.340{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.332{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.321{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.312{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.183{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.171{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000351131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:19.158{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27225AB0C0763FE3478034CAE5D19739,SHA256=4EE234158312A666F4613C70D8825B77D70A0D31A210B8FF67607C4FF2BF183B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:20.875{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=448C1F0E9A5782C78A29C05F78A54623,SHA256=D5B08EA8D3DF04E73A98F0A9F965AFDE0ABAF75DA535CB4EF05A4382E508F111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:20.828{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:20.207{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE150DE6A1691125E339BC9CA5B554F,SHA256=E3E51BEFA6AB8E206F1E720112FCC9C70286151E895E4504375EE7C521ADC581,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:18.317{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49921-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:21.874{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A52B605FD6DE7658939CCA376C5FD3F,SHA256=F9B19BDE9FED3E45F2E870DEA0BC01725756DFD3304AEB534A74E7EA07F404C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.890{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.889{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.885{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.882{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.879{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.876{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 734700x8000000000000000351164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.627{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000351163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.627{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000351162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.626{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000351161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.622{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000351160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.622{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000351159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.622{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000351158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.621{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000351157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:21.275{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98040FBF89A861104FCB747BD63FA33,SHA256=B683D7D696D01C164131AFD1D053AAD9E0A67CA56E1D4DC22716D012E38F73B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:22.964{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D7202E0F7344FD43234621B15248740,SHA256=6F3CEE82B29708226260DD59068C39653A5E3041772696DE0DC70368A3439E55,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.567{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E84-6323-4F01-000000007502}6696C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.549{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.545{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.541{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.536{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.523{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.518{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.515{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.514{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.511{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.508{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.506{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.499{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.479{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.473{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.464{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.442{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.433{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.425{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.420{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.419{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.417{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.414{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.410{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.408{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.402{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.402{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.399{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000351172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.399{6820D070-4ADF-6323-2A00-000000007502}26163640C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000351171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:22.332{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A873AB1176D60E3FDA3E7984D3D0D40,SHA256=5B329059E72AEFA5A55B693DA6E60BB9B83B1396D9E16078AA0AA242779EA704,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:20.048{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49922-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000351254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.928{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000351253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.661{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000351252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.661{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000351251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.661{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000351250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.498{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000351249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.494{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000351248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.494{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000351247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000351246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.498{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000351245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.498{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000351244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.498{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000351243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.494{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000351242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.494{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000351241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000351240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000351239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000351238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000351237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000351236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000351235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000351233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000351232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000351231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000351230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000351229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000351228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000351227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000351226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000351225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000351224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000351223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000351222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000351221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000351220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000351219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000351218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000351217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000351216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000351215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000351214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000351212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000351211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000351209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000351204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000351203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.479{6820D070-4F5F-6323-6901-000000007502}6272C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000351202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.478{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1323B5CF79672F04000186B11FD7E35B,SHA256=3D2E77701E54DCC71522AF3DD14CD46E66D59F6ED5BEA5FD462997CC87EA013C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:23.995{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:23.981{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:23.974{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:23.957{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:23.949{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:23.942{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:23.936{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:23.933{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 354300x8000000000000000351201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:20.399{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63605-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000351361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000351360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.830{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000351359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.830{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000351358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.830{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000351357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.830{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000351356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000351355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.830{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000351354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.830{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000351353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.830{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000351352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.830{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000351351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000351350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000351349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000351348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000351347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000351346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000351345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000351344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000351343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000351342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000351341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000351340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000351339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000351338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000351337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000351336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000351335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000351334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000351332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000351331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000351330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000351329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000351328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000351327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000351326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000351325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000351324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000351323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000351322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000351321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000351319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000351318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000351316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000351311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.814{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000351310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.815{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000351309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.598{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=137AE9A553CD1249582EEE5F45040A94,SHA256=8C432B6137911E8BD3C0B699BCE1253BA3422740ED77DE52BE1C11F7F00E0A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.592{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D36CA8284295F820A5DE4CA6AE4A57,SHA256=247C1462487E8C735F0C7EB483ADE5C1D36503EF55B392E3A3D343A5DDC34B2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.591{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B804E9A44D3978747EC6B035B570E497,SHA256=826F8E551236E07E893CB3C63D6B035F4124B84B5A6EB8D291E41E0A7F5E2178,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.580{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=AAF33511A77042D409725090CB7896C7,SHA256=F83743E010FAF2600E6AD2D2877E1CCFD57ACF2DBA6F0C939682A007C38994B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.340{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29801490D889BB5C6FFE001DBA78A6C7,SHA256=36F301560C4F1BBF5E9FC7D9705395A88F9E7B895960880A07BFCAB8FA3540F1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.190{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.182{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.314{6820D070-4F60-6323-6A01-000000007502}67446320C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.314{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000351303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.314{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000351302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.162{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000351301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.162{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000351300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.162{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000351299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.162{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000351298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.162{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000351297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.162{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000351296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.162{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000351295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.162{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000351294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.162{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000351293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000351292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000351291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000351290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000351289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000351288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000351287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000351286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000351285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000351284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000351283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000351282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000351281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000351280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000351279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000351278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000351277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000351276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000351275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000351274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000351273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000351272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000351271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000351270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000351269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000351268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000351266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000351264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000351263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000351261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000351256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.144{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000351255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.145{6820D070-4F60-6323-6A01-000000007502}6744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.177{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.175{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.175{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.175{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.175{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.175{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.175{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.166{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.161{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.154{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.149{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.148{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.145{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.143{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.141{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.139{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.137{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.135{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.135{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.134{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.132{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.129{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.125{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.123{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.119{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.111{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.101{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.082{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.078{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000191479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.050{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A41F7CE7D8930E496936618834B74B,SHA256=39B2BAD1A1B12AC01A64207BA229BCAE0C31110105168E6EA49389D20E51746C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.049{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.018{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.010{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000191475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:24.004{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 354300x8000000000000000191532Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:23.394{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49923-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191531Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:25.044{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=983E90322EAD0438B0C82CA647CC2B8C,SHA256=1793B5FB15B9407F31EC16622F4889B5BB0A1D6BEE8C8FB642560A4B41CDC831,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.683{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA99AD1965C758AFB5C463C4AE225B3C,SHA256=F8F7A1EE1FDB1A98FA60E43E67CBC667849BD3493A038E8AEE5F618A28A10441,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000351423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.667{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000351422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.667{6820D070-4F61-6323-6C01-000000007502}69006688C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.667{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000351420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.667{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000351419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.650{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48AF11B11FE70E521FDD0DA89F278F6,SHA256=2E6F90870C8EC7AB3A3EF9F23EE9A46F3250722C78E3B919048EC1A4A4548C40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.620{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000351417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.620{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000351416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.620{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000351415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.619{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000351414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.619{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000351413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.619{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 734700x8000000000000000351412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.499{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000351411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.499{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000351410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000351409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000351408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000351407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000351406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000351405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000351404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000351403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000351402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000351401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000351400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000351399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000351398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000351397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000351396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000351395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000351393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000351392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000351391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000351390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000351389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000351388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000351387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000351386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000351385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000351384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000351383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000351382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000351381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000351380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000351379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000351378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000351377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.484{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000351375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.480{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000351374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.480{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.480{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000351372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.480{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.480{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.480{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.480{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.480{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000351367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.480{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000351366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.480{6820D070-4F61-6323-6C01-000000007502}6900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000351365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:23.117{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63606-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 734700x8000000000000000351364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.999{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000351363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.999{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000351362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:24.999{6820D070-4F60-6323-6B01-000000007502}6532C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000191533Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:26.138{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83BD96F554F87F5C68CC66F8020207B,SHA256=BBDB6D623518D485BAEB0AF83A3268740D5C227EA55DC4C4BFB8F34D40BE5D62,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000351529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.900{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000351528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.900{6820D070-4F62-6323-6E01-000000007502}74687372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.900{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000351526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.900{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000351525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.716{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000351524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.716{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000351523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.716{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000351522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.716{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000351521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.716{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000351520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.716{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000351519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.716{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000351518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.716{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000351517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000351516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000351515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000351514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000351513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000351512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000351511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000351510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000351508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000351507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000351506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000351505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000351504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000351503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000351502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000351501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000351500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000351499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000351498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000351497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000351496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000351495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000351494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000351493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000351492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000351491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000351490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000351488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.684{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000351487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.681{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.681{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000351485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.681{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.681{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.681{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.681{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000351481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.681{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.681{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000351479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.681{6820D070-4F62-6323-6E01-000000007502}7468C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000351478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.665{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64B24269676B0426FECA7C60360111C0,SHA256=6BBC6263273F20076FCB37FB0C5A30D32209A2B60E5D42195ED54284D8287759,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000351477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.217{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000351476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.217{6820D070-4F62-6323-6D01-000000007502}65887448C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.217{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000351474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.217{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000351473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.147{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E66CFE3C4F259A2D175ED8BB19C3091A,SHA256=F1F3191830AF8ACC6CB845276F897EF156533925346094031868DD48F6B5E31F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000351472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.031{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000351471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.031{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000351470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.031{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000351469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.031{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000351468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.031{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000351467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.031{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000351466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.031{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000351465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.031{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000351464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.031{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000351463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.031{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000351462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.031{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000351461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000351460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000351459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000351458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000351457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000351456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000351455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000351453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000351452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000351451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000351450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000351449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000351448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000351447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000351446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000351445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000351444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000351443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000351442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000351441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000351440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000351439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000351438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000351437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 10341000x8000000000000000351436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000351434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000351433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000351431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000351426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.015{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000351425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.016{6820D070-4F62-6323-6D01-000000007502}6588C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191535Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:27.561{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915155459-018MD5=36EB26F9EED14D2A649109B5B0D3FC1A,SHA256=D5225DBB467937E991D5678F78067E4612BF477D9EC2143F1C43E71004CE921E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191534Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:27.242{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA0B9DA753F6CE78FA6AF18EAA17A93,SHA256=82695C6E28D5FA4343EE5C8CA30D9A007DC4F6263F5B9094C144C026166B3286,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000351582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.555{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000351581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.553{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000351580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.552{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000351579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.482{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15588970FA547B9310B510815BB49D51,SHA256=00DA16C28A48C4C0FD8D92FCF874E23587DC25E4DB28A6765E04C39B36BAF795,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000351578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.366{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000351577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.366{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000351576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.366{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000351575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.366{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000351574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.366{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000351573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.366{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000351572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.366{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000351571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000351570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000351569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000351568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000351567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000351566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000351565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000351564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000351563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000351562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000351561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000351560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000351559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000351558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000351557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000351556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000351555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000351554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000351553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000351552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000351551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000351550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000351549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000351548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000351547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000351546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000351545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000351544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000351542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000351540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000351539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000351537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000351532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.348{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000351531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.349{6820D070-4F63-6323-6F01-000000007502}7488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000351530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:27.183{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=9553656B9A6FFE3089A62EE37B712B25,SHA256=B9F2C9AFBA67C1E722B7A82B65A933A252BD2D906A2E747E3FA652FA29A5ECEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191537Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:28.573{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915155457-019MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191536Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:28.442{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41CF569C982CEDC191104BEC08D2E600,SHA256=4AB1A46FE501A9CC4F37B6C04560001F33169D82E4CF73F55A85F19D04E90D1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.839{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63607-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000351591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:25.839{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63607-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 10341000x8000000000000000351590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:28.167{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:28.167{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:28.167{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:28.167{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:28.167{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:28.167{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:28.167{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000351583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:28.049{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A42AC023143252F18FD9D3586208BC,SHA256=F4EA23C74BCF0B216CCD2E9AAB1FF6AC16C8B8B3275221B71E5F5291DCF0EAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191538Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:29.521{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=227CC94A8CFED65F7A6065AB59F6E114,SHA256=8E230B5953B71EB7B26E7B46D2E14F91156B4B76A1113C0498BB72714B4EDF40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:26.321{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63608-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:29.150{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C4E3CA624E106B421F385D66E9B9F24,SHA256=BD4138E2FEB7F2B9E5F644451B3CADFF1C456C059A9BE1371BF06ADE1AAB8816,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191539Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:30.731{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8190AB9492ECA66E80D6964BB486AE9,SHA256=E75C5BE8C3A1743C2EB3C6249D07E25864D68D819205E6F4BE2958177B7472DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:30.170{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D4989324619F2D9206DC4EBED3F2A92,SHA256=456A13B772EC8DEC823943DAEFA57355A3FB119A5E18B83046510BD0940E7856,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191541Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:31.929{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77E629C881D87992FF0F46192738E1A0,SHA256=C4B70609E21752F83D4B68D322688D1CDC1AC192EDD8638391C553C59771CFAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:31.238{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F05C0DAE5D76E46335B9A90737C762AF,SHA256=2196624FA65A2F221C98E29EEB886256FF0A391B1A064617A3CECD5433F6D1DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191540Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:28.470{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49924-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:32.309{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1995AEA182C166A8F74F50C8B430E9DA,SHA256=C6109144FC49D7C259CD297FFA828E69EEEA43C48B804FBC76B14A646D0C2D57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:33.345{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E31E1D4E5089DFEC960504D669729F9,SHA256=E3489CF338152A7A194DB48B02292BE0EF14F7E42704BAEFDC748A6701B8C963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191542Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:33.024{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4FF8B391BFD7744F3584C8D2DB7E249,SHA256=B45CC3B1C37338E447122AC7F2C8CDA22D016688144EC8E1F9EE58751858B96B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:32.218{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63609-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:34.380{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=220B2A16144A4F8724FA4653C7F371D3,SHA256=BC5543904511356CD598A00CD5F982AAE5257D90D9D1E051A26DBAC1590BD727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191543Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:34.132{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF52B7EED60B7AE2ADBC4DFFD6B9031E,SHA256=5711F600F3613D176C847F2B9342CE981BF55F8F88E6B7E2E27AB530D4AD6B93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:35.420{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E47C93F2395A73E8F692AAC19BC2520,SHA256=84CA28C12FF6B6CB1F87C738EECE486CC92B5F815C794B11D85448909959EC78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191544Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:35.346{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B48B2E35784A202B4DC06C5FC4F8D7BE,SHA256=266DEDB5B9F193AC914C79CDC35D9A7C585434FC0637035961AAF5D68B9CFF01,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191546Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:34.252{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49925-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191545Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:36.453{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=009EBE1F892AF818887691D227324393,SHA256=4493A5C47699EAB7F79C3D709C5CCD457A766AF823EA3949CB69CA4B2AA0DA36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:36.489{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B529EC042FDD0CCB9600CFB9FE6FB47A,SHA256=60DEE0FB86EBBDC7FFE4B919354CDF102B7B5098C18154F208FE4455C45523A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:36.207{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:36.207{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:36.203{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:36.187{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:36.187{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:36.187{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:36.187{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191547Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:37.673{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A72BBFAED30CD99542EF2031D855C690,SHA256=BB4D41A9F315A8921B7382C9EC98EF208AFFEBF4320420D05AF1BBEAD0EE8544,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:37.567{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61F68A33736032020B20CB93F6141333,SHA256=8A0764B423DBAA21EE7E37FBE7541F2D471319871A33D3C882574BE92494622B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191548Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:38.755{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0389136E3CCA8DEDAB5B0E908AF0527D,SHA256=EFC0BC0CDA0AC0088691344732809BA3C2776DABF393C39C34E33BD8D1525335,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:38.621{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DEDB465B53E4231C32631DC80E733C4,SHA256=565F5E3230F1FDC05CF0DE45382AF4E9BECFDBDF302779873C1D1A1131F32436,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.901{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.899{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.892{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 23542300x8000000000000000351641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.728{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B80EF4FA4476827D225C03FB7779330,SHA256=EDDA1556BA4D32557B9143D93ED25663EF3147DA75EB0F4B8D43A69B82B6B62B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191549Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:39.841{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52ACA70F061BF02B22BA8F30C94F5B54,SHA256=E64607BCE0D9CBC653D813FCA0D0B265C37FF9DE257942F1E7E242BF4BBA92D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:37.425{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63610-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000351639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.427{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.427{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.427{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.420{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.420{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.420{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.420{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.366{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.360{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.345{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.336{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.328{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.324{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.322{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.319{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.304{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.271{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.264{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.259{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.250{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.241{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.234{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.224{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.216{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.204{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.196{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.157{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:39.153{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 23542300x8000000000000000351645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:40.805{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C06E6AF78C875B064F04164C606DBF,SHA256=9875AA86E62EF84A8EAFA9A24BD7A4B54829ED2BC2FBD55F5174FBE58EC58095,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191550Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:40.927{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480483C4E4F9C0B548338F81B1525F0B,SHA256=74302CDAFB5EC3D015B9FF2276E3CC456A9C4CFB2B3027B67827CE680837976E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:41.921{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:41.920{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:41.915{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:41.913{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:41.910{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 23542300x8000000000000000351647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:41.908{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=067E00F141CC69CB5C59465A8053B9E9,SHA256=0E119B2A0D7D8BE88A797ADFED4F43F6F858C98D0DE8866C003312F9C18AE3BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:41.907{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.591{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.588{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.585{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.582{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.580{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.576{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.573{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.571{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.567{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.560{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.557{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.548{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.521{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.514{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.503{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.473{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.466{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.456{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.451{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.449{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.447{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.444{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.441{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.438{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.432{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.431{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.429{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000351654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.428{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 23542300x8000000000000000351653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:42.311{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915155514-018MD5=3EE9864ACDFFE78A8B2E0DEDF704C720,SHA256=3E9075B80C33CFA58EAF977E4450D367AD693E429428DFB55B91DE7FD240E49F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191553Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:39.263{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49926-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191552Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:42.252{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=508C75A38CBCEC35AADC238FB4689EF2,SHA256=62B585C01881ABDF3F31C2764EACB65CBD4E18B984133C06845A592C50472569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191551Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:42.033{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA3B55C7205AB30D9E16CF81145E7E3B,SHA256=3D8BC0872344CDBEA817F44CFFA9E7578272C65FFE3FB7C85EA617C87AE1B618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:43.443{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=916450EB76ACB4957BC834E17AD1EFE7,SHA256=75EC5C728F3C6F28DB4BDD26F7194F4681DF1BDF124CC92194B88FC0F03247AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:43.308{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915155511-019MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191562Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:43.992{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191561Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:43.971{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191560Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:43.964{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191559Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:43.957{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191558Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:43.950{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191557Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:43.938{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191556Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:43.932{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191555Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:43.929{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 23542300x8000000000000000191554Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:43.131{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6084DF2EDFE7405B712A787737DA532,SHA256=D71BF2F77EC6E2FCF8F83EA30CE3BC3FEEE12C974687AA7A6822580DD1B69929,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:44.393{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71431FACB2C63498C10F23A911102377,SHA256=5FE8A5C36BBFCB6D77DF3DD1FA69933E61D922787C4DA9CC67CB8ABD54490889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191591Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.442{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6625158792C94FDF83E65A0AFE90A921,SHA256=1BC263C4E5A3C89BE23BACF3056D471218B2174EEF5C663D774EC5BDB2642603,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191590Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.212{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191589Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.203{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191588Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.185{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191587Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.175{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191586Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.168{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191585Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.163{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191584Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.161{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191583Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.159{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191582Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.152{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191581Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.149{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191580Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.146{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191579Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.146{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191578Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.144{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191577Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.143{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191576Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.142{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191575Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.141{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191574Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.138{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191573Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.134{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191572Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.132{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191571Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.129{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191570Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.124{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191569Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.118{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191568Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.106{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191567Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.103{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191566Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.082{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191565Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.042{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191564Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.028{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 10341000x8000000000000000191563Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.011{E743DC12-4AD0-6323-1D00-000000007602}19443780C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000015B38190) 354300x8000000000000000351686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:43.398{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63611-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:45.447{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB7F3CBD450CE32BE6926CDC4AD0F2DD,SHA256=A2E7D811BB2124E5DE3F7353797D1162A6128FE15620ED53936C51DFD8597C66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191592Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:45.327{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A34339D902B124C05360310699A6C9CE,SHA256=08E5FA1A933E2A8BC19F98172E7310F7F4A7C4BD15E98F94A0C0DC328A842966,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:46.513{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE4A728E692995A73EE88652277FB99,SHA256=CCCBD2A12A4E7F03E9FD73E9C826CB16CDF1920AE53898C8B14AA4FC85B4816A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191594Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:44.499{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49927-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191593Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:46.436{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2DBBD9789B86D86004DB8AEF0ADC2C,SHA256=D1B53F66BA500CF86F4B689AE1AB249A42E854E53BDCCFE8C12CC87CCE993CF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:47.565{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D06B5AAB758B084E1669487D72AABD5,SHA256=E7295BC87C873A4986E396E7BE979312ACE86460F157C5A5157AAB49C1F93727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191595Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:47.535{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2831B136B2ED6A50FCA136919E249EDC,SHA256=0840F05AFEA9F363B0C98BBA47F8326889EA26B1B35F48C6CD91243D196E9858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:48.616{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9AFA5140FCE585DA6820A362466E14,SHA256=BFEA7F07B923B42AC63113891F627E2310E8D37182FE807C13DD0B79C0BD806F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191596Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:48.741{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABF1433CEE154AAC40B16A7F4762ACC,SHA256=A013CDDE67DE74DB5DF8A669235A5B223A448F880AEE182DA2502CA44F66A3C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:49.718{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=839ADEF29DD5CE30B5A048E71F6B4D33,SHA256=5DBC5CBF26D21C4BE2BADEDE40768993BB594D6C9452A3D52A6437532F5DEA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191597Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:49.834{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B73EE83619B0B7CA807E4AFF56A45FA,SHA256=67A8EDB4063C5B3FDE358C089282D481B4E4DE5D0B43E861E24090A05A0AC247,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:48.409{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63612-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:50.820{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1645B23E0C3CEDC8033D3BB08A88E653,SHA256=2F4A85884B34C59DD0A09E6D8C77BE730047A790CCB4AFC3B3185ABC19A71B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191598Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:50.925{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=881EF6E664780C4575320E843B408191,SHA256=7FCC5136A9CB31214BBCC8A0C7F5892F2F536B713E94DB330BF07FC082D62F86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:51.922{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC45CF4E692A7D1325768E6589D462E,SHA256=5EA77DC221519F5444984678FCAA40106DE50AA19FB31009C2FF6E014FB2B3D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191600Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:50.254{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49928-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191599Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:52.014{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F9EA38706315690923ED7616A170DDF,SHA256=CD44D28B95B7EA6D23981A558E8AE4B46CD258328C9AA6551B573783BAE121D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191601Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:53.106{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E7BB3E5FD7F9557B6DB932FAF85F818,SHA256=059F1E487C92D785A55AF9B41F0EE8ADE3625FBAC6A47EBCCCC12C2FE7E52DE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:53.026{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65D4E203A367C5EBFD70047120A35EC4,SHA256=3CC6F96FB297FFFE76910A8A920AF833C319670BB25E4B9BEDFB58F204EF838E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191602Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:54.203{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9208EF84A1FD549A4E8248FFD6E8BE6,SHA256=93C1AE2038F3E9FFC63F5D3996F6B4E453AE66955A976CD9E9C0B900A1D6B89F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:54.113{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B564DE53D183B611790772E2A957789,SHA256=7D6D7A7B8704ED2366C0A997A986B06CE632CEFFD49A1DF959BFFF05DDFBD323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191603Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:55.297{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80CB5FE8E5662687951F3B2F12B5442A,SHA256=1C88CE53D11F53307AECF6F7AF2E079A47CB19491D38C615289E76987B282C1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:55.245{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0E35B5D5D2109C1FE0CC261C2C06FE,SHA256=C10728704C1A900749121DD8D7E9C6732A47BDDA11DEA0C231B41C8B05295BE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191604Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:56.416{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9797737621901F6815B50290D471AA1,SHA256=3D3DF60CD6B3DA5191D5D01E9E3F0164157B39E6B8573B85A16372DC4EF2F22B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:54.415{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63613-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:56.392{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF1C37FB25C94833E6E5A6FBCED5094,SHA256=A55DAB40D62A913EFE3542B6652133373701909F267DA2949A625B239C9B66E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:56.029{6820D070-4DB7-6323-0A01-000000007502}6624ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=178B10B6EFF517779B2235B47272EEF1,SHA256=828C41F31C967E9B156C9509256D703BDF6A5C9ECB43AE150AC9B9FC188948D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191606Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:57.747{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCA3CB216AA25F0FDB81FAA5AC878106,SHA256=7A2729412A99E937AED036DF9D13A2F225E4FDB53D44891BE7CD0D6BB6515BE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:57.561{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1FCFF30F6E8D85CA47B2115D6582CDF7,SHA256=07581D9668F6D462244DCCB41AB76B2878D8956AD0BB31CE9340C2F61A018B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:57.511{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4391F6E04AAF51B52FBEF75B27239225,SHA256=6B5F1E7E970B5F8A5209D4F8D661C033BC7800D4887E603FC590F200404D7B6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191605Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:57.411{E743DC12-4AD0-6323-1100-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=58CE469F7DB6E663CF01D77201916035,SHA256=504BC521783F0643A5818E4B945BF7F9F0FED82065A1257C063F382F3868B091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191618Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:58.845{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D8A62C6049BB1FE4E670D4FD6CE08C8,SHA256=6919130D3122B2E0F8DD28A967878B815397DC6C9A98CCAEF44A3AADF1100F45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:58.846{6820D070-4AD1-6323-1100-000000007502}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C26D3EA9703CF87A56B0C2ED472CFDE5,SHA256=8CFC41545F44BE41130BF00E904BE0D43E9F561BFC45F04297EDDDAA8C3C3406,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:58.746{6820D070-4AD1-6323-1500-000000007502}122010028C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:58.746{6820D070-4AD1-6323-1500-000000007502}122010028C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bca3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22acf|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+2c9ae|C:\Windows\system32\wbem\wbemcore.dll+202cc|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22baa|C:\Windows\system32\wbem\wbemcore.dll+22a09|C:\Windows\system32\wbem\wbemcore.dll+21f4a|C:\Windows\system32\wbem\wbemcore.dll+22701|C:\Windows\system32\wbem\wbemcore.dll+2d77c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000351702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:58.611{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0277BEADC96AFAC6E968898BC41C8897,SHA256=D6B1CCE68A10D57D7B769492952BC025BA7B3BE449813B8A660FD1F0C3DA5926,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000191617Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:14:58.465{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000191616Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:14:58.465{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00130ca5) 13241300x8000000000000000191615Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:14:58.465{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c915-0xeb198485) 13241300x8000000000000000191614Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:14:58.465{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c91e-0x4cddec85) 13241300x8000000000000000191613Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:14:58.465{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c926-0xaea25485) 13241300x8000000000000000191612Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:14:58.465{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000191611Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:14:58.465{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x00130ca5) 13241300x8000000000000000191610Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:14:58.465{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c915-0xeb198485) 13241300x8000000000000000191609Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:14:58.465{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c91e-0x4cddec85) 13241300x8000000000000000191608Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-SetValue2022-09-15 16:14:58.465{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c926-0xaea25485) 354300x8000000000000000191607Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:14:55.458{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49929-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000351782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.981{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.981{6820D070-4B7F-6323-9900-000000007502}29729196C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.981{6820D070-4B7F-6323-9900-000000007502}29729196C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.981{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.981{6820D070-4B7F-6323-9900-000000007502}29722476C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.981{6820D070-4B7F-6323-9900-000000007502}29722476C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.981{6820D070-4B7F-6323-9900-000000007502}29722476C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.981{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.981{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.981{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.981{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.865{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.864{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.860{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 13241300x8000000000000000351768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 16:14:59.781{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000351767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 16:14:59.781{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001309c7) 13241300x8000000000000000351766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:14:59.781{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c915-0xebb9cba1) 13241300x8000000000000000351765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:14:59.781{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c91e-0x4d7e33a1) 13241300x8000000000000000351764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:14:59.781{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c926-0xaf429ba1) 13241300x8000000000000000351763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 16:14:59.781{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x8000000000000000351762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.localT1060,RunKeySetValue2022-09-15 16:14:59.781{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x001309c7) 13241300x8000000000000000351761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:14:59.781{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d8c915-0xebb9cba1) 13241300x8000000000000000351760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:14:59.781{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d8c91e-0x4d7e33a1) 13241300x8000000000000000351759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:14:59.781{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d8c926-0xaf429ba1) 23542300x8000000000000000351758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.697{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5585FCFF5B9F0DC0BCBD56FFF9086D0,SHA256=444DC1147A911B43418BEE9BF2AF0E889EA96628A8860CD8096590EB37940ECB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.421{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 23542300x8000000000000000351756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.418{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF34998E6494316FEAD13CD89B83731,SHA256=3752D701550ADC18457220CF950C7FD993BA972DA37643663BFB87A6BDDD70CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.413{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.405{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.375{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.367{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.362{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.360{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.355{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.344{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.313{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.307{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.300{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.289{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.279{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.270{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.240{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.232{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.220{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.218{6820D070-4B7E-6323-8F00-000000007502}45402152C:\Windows\System32\RuntimeBroker.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b4a|C:\Windows\System32\combase.dll+6d90d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000351737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.218{6820D070-4B7E-6323-8F00-000000007502}45402152C:\Windows\System32\RuntimeBroker.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+76b4a|C:\Windows\System32\combase.dll+6d90d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000351736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.216{6820D070-4B7F-6323-9900-000000007502}29726904C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.215{6820D070-4B7F-6323-9900-000000007502}29726904C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.211{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.205{6820D070-4B7E-6323-8F00-000000007502}45402152C:\Windows\System32\RuntimeBroker.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000351732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.204{6820D070-4B7E-6323-8F00-000000007502}45402152C:\Windows\System32\RuntimeBroker.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e|C:\Windows\System32\RPCRT4.dll+20c07|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000351731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.204{6820D070-4B7E-6323-8F00-000000007502}45404136C:\Windows\System32\RuntimeBroker.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b4a|C:\Windows\System32\combase.dll+6d90d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d 10341000x8000000000000000351730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.204{6820D070-4B7E-6323-8F00-000000007502}45404136C:\Windows\System32\RuntimeBroker.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\System32\combase.dll+380db|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+76b4a|C:\Windows\System32\combase.dll+6d90d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+129f|C:\Windows\System32\combase.dll+3b233|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+3757d|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+52179|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+3528e 10341000x8000000000000000351729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.199{6820D070-4B7F-6323-9900-000000007502}29724428C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000351728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.199{6820D070-4B7F-6323-9900-000000007502}29724428C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000351727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.191{6820D070-4B7F-6323-9900-000000007502}29722476C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.190{6820D070-4B7F-6323-9900-000000007502}29722476C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.186{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.183{6820D070-4B7F-6323-9900-000000007502}29722476C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.180{6820D070-4AD1-6323-0D00-000000007502}888920C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.180{6820D070-4AD1-6323-0D00-000000007502}888920C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.179{6820D070-4AD1-6323-0D00-000000007502}888920C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.179{6820D070-4AD1-6323-0D00-000000007502}888920C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.179{6820D070-4AD1-6323-0D00-000000007502}888920C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.178{6820D070-4AD1-6323-0D00-000000007502}888920C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.178{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.178{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.178{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.177{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.177{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.177{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.177{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.175{6820D070-4B7F-6323-9900-000000007502}29728224C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.175{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.175{6820D070-4B7F-6323-9900-000000007502}29728224C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+148a56|C:\Windows\System32\TwinUI.dll+82337|C:\Windows\System32\TwinUI.dll+c27ee|C:\Windows\System32\TwinUI.dll+c27b9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.165{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.162{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 23542300x8000000000000000351787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:00.815{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=528EA954F6D2B875EFB0B867C423E1F6,SHA256=8AD6A22B5DF0B8FF3DFF33D7600B94762505A39311D0E4BC671BDC2B92B7F3F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191619Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:00.058{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA31ADA8E79D6594C6470C8E3DF2BFA,SHA256=D4C5317027B58CF98BD0482E7FACDED2B11D5C6641362E627A7C3E6B83AF5A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:00.415{6820D070-4DB7-6323-0A01-000000007502}6624ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-09-15_161456MD5=B65AB0C26E593FB9EF2D3DCF0A896186,SHA256=B407958DC96A2A8C609FE8292473309C16588454C77F7379C8D5A9BFFB771F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:00.415{6820D070-4DB7-6323-0A01-000000007502}6624ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=6827299A35E7882FDE4596C60652FA96,SHA256=6C2C3F71F557BA6AFC779D8F81588B89BF758FE4BBB0C4B70EA2A354E3CC1724,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.997{6820D070-4B7F-6323-9900-000000007502}29724428C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x8000000000000000351783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.997{6820D070-4B7F-6323-9900-000000007502}29724428C:\Windows\Explorer.EXE{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+be0e4|C:\Windows\System32\TwinUI.dll+be797|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+54869|C:\Windows\System32\combase.dll+1279|C:\Windows\System32\RPCRT4.dll+658cb|C:\Windows\System32\combase.dll+3b22c|C:\Windows\System32\combase.dll+3aee2|C:\Windows\System32\combase.dll+39788|C:\Windows\System32\combase.dll+37c5f|C:\Windows\System32\combase.dll+36c4f|C:\Windows\System32\combase.dll+34346|C:\Windows\System32\combase.dll+33afa|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 354300x8000000000000000351795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:14:59.438{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63614-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:01.915{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943F2748C59E69C5ECA5B584809D3B7B,SHA256=7F55FA9A75848ADAC0DD99FF889114AA7E6CC1726611C601F4925E09FF294595,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:01.913{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:01.911{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:01.906{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:01.903{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:01.900{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:01.898{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 23542300x8000000000000000191620Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:01.154{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9996F067778778282160C49C05FCF8B9,SHA256=8361F31FD5C2AE35D3E7B8BB00FA919968533297F1A0B3FBC18B562002AE2217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191621Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:02.238{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E700E93AEE4021E5012B373675E69CAC,SHA256=AD4A908B070E460627309A5A8DE66EB00EF87E2097DE311AB3AC5354DD042234,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.668{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.666{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.662{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.659{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.650{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.645{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.643{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.641{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.638{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.635{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.634{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.626{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.584{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.566{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.546{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.493{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.482{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.469{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.460{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.459{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.457{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.454{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.450{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.444{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.437{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.435{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.433{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000351796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:02.433{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000191625Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:03.975{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191624Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:03.958{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191623Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:03.950{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000191622Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:03.325{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E97D0E651B193061774028F7021606FE,SHA256=5EFD9838A471A70E5B3F6B133B26F37CD6F138179FA2CB50098DA1B0DA3A4CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:03.252{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC115F4DA7B7102261D28FED0E460C8,SHA256=2251C7460F40B5E7B32DA668F72084C3625DFBD9CAB7904290B88099906C78B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191660Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.996{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AEB7C00819A6CB8C51E24B90DBC404A,SHA256=F99B18BAE6AC4AC17E2F5A34F606A3877D899A2D06BF680C2B483797C8D3AE1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:04.718{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:04.718{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:04.718{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:04.718{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000351825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:04.316{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BCC206A42766894760473C0CDFB044,SHA256=1DDA3717D00551848EFC60EBB8395DEE21919F6B5BC60005A8099C0FC54DEE96,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191659Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:01.442{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49930-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000191658Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.172{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191657Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.165{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191656Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.152{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191655Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.148{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191654Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.142{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191653Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.138{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191652Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.137{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191651Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.135{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191650Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.133{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191649Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.132{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191648Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.129{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191647Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.128{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191646Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.127{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191645Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.126{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191644Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.125{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191643Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.123{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191642Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.119{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191641Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.115{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191640Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.113{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191639Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.111{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191638Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.107{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191637Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.101{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191636Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.091{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191635Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.090{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191634Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.083{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191633Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.065{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191632Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.060{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191631Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.054{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191630Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.048{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191629Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.039{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191628Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.021{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191627Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.011{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191626Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:04.003{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000351839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:05.405{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4E6D97761D1043C612808DCEDA73F71,SHA256=942E57CEFBC639A6AD3C0F0E3DCEFB17F4E3872C25295DC081FCAC0AFA4676D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:05.338{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:05.338{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:05.335{6820D070-4AD1-6323-0C00-000000007502}8285280C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:05.335{6820D070-4AD1-6323-0C00-000000007502}8285280C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:05.335{6820D070-4AD1-6323-0C00-000000007502}8285280C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:05.335{6820D070-4B7E-6323-9000-000000007502}3564588C:\Windows\system32\sihost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2064e|C:\Windows\SYSTEM32\ntdll.dll+1e864|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:05.270{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:05.270{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 10341000x8000000000000000351830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:05.270{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc 23542300x8000000000000000351840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:06.386{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23816141ECC2353D45BB8B6CEC5B280,SHA256=4E3ACE5125191009EAFDDA85BCF000CB0834BBDBDC9D8E2870C9F6B01E3197BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191665Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:06.305{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191664Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:06.305{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191663Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:06.305{E743DC12-4ACF-6323-0B00-000000007602}6282712C:\Windows\system32\lsass.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191662Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:06.292{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1D00-000000007602}1944C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191661Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:06.017{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2E45B96E5C2091697056DAEBF1D98B,SHA256=6EC2C95F246A3E69ACDEEE58F5D5BD27086D37145EFB7A07AB49E74F49C878D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:05.306{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63615-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:07.472{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB36D4A1C474A1E7BDF57BFCCA7FEE6,SHA256=FD438CA75B1A5F15988A0FD6F17A7B97D315FEED84E1479DB4D9C2E994577CDC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191674Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:07.666{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F8B-6323-1601-000000007602}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191673Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:07.665{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191672Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:07.664{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191671Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:07.664{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191670Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:07.664{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191669Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:07.664{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4F8B-6323-1601-000000007602}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191668Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:07.664{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F8B-6323-1601-000000007602}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191667Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:07.664{E743DC12-4F8B-6323-1601-000000007602}3568C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191666Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:07.111{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E851248847FB7DFDD81CF753D59971,SHA256=8D32F68446E1DE52DD5BA0386168394D478ECB3751DEA768227D5D60476E06E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:08.602{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=645E6FBC0849D677B09594425CEA84F1,SHA256=05D73183BBEAB7A3B07EF9C15B91739D46BF73415C411918A0FEDB87840DD630,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191693Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.939{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F8C-6323-1801-000000007602}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191692Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.939{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191691Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.939{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191690Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.939{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191689Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.939{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191688Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.939{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4F8C-6323-1801-000000007602}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191687Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.939{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F8C-6323-1801-000000007602}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191686Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.940{E743DC12-4F8C-6323-1801-000000007602}4908C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191685Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.715{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5CAEF83BD297410A5D19CFD6283E31A7,SHA256=49FC344DF2B8545E9C311619BC838CC5C01DD5E79A13737843F92EE256DF3740,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191684Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.549{E743DC12-4F8C-6323-1701-000000007602}21481816C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191683Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.326{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F8C-6323-1701-000000007602}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191682Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.326{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191681Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.326{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191680Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.326{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191679Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.326{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191678Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.326{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4F8C-6323-1701-000000007602}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191677Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.326{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F8C-6323-1701-000000007602}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191676Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.326{E743DC12-4F8C-6323-1701-000000007602}2148C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191675Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:08.201{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B0ACA89229547F28134EFB847F57DD,SHA256=1CBA8ED2B412036075A2D85E21D27A450B9433928D51409E1AB70BDED9EAC279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:09.687{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8363B8693B30A513BBCCCDFB9B5404D,SHA256=1A97B209F1BA0E63B288241EF923561734363C92199F7CCC3F58B8A70426B679,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191711Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.782{E743DC12-4F8D-6323-1901-000000007602}3236824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191710Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.722{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4F8D-6323-1901-000000007602}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191709Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.722{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4F8D-6323-1901-000000007602}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191708Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.722{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4F8D-6323-1901-000000007602}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191707Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.722{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4F8D-6323-1901-000000007602}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191706Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.722{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4F8D-6323-1901-000000007602}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191705Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.722{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4F8D-6323-1901-000000007602}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 23542300x8000000000000000191704Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.702{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=6B9A6BB54ABEEE1A6CF0A58CBEC7980A,SHA256=03C09EBD3F7A8360462FC597DE95FFB672C1D8BE69574076310584F8FD72A922,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191703Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.615{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F8D-6323-1901-000000007602}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191702Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.615{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191701Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.615{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191700Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.615{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191699Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.615{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191698Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.615{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4F8D-6323-1901-000000007602}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191697Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.615{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F8D-6323-1901-000000007602}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191696Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.616{E743DC12-4F8D-6323-1901-000000007602}3236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000191695Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:07.326{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49931-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191694Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:09.283{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A473D86325EB9C4383A771D001995D4,SHA256=F9E64B6D13673CEA15B55B1E4A10393E56C4B4DF5D490EA797CB876EBB19EA7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:10.773{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF357DA75E035137DC0C3E2A911FC3A0,SHA256=FA0A61F3B972D1729225760DB0AD6CBF30D3030516E097D868C389836321E979,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191729Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.959{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F8E-6323-1B01-000000007602}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191728Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.959{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191727Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.959{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191726Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.959{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191725Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.959{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191724Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.959{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4F8E-6323-1B01-000000007602}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191723Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.959{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F8E-6323-1B01-000000007602}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191722Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.960{E743DC12-4F8E-6323-1B01-000000007602}4896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191721Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.422{E743DC12-4F8E-6323-1A01-000000007602}23843412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191720Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.375{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E7757564180A6FE0B45ABFCF32C930,SHA256=141A9309561460B33DEB3309A1A2202F9FE08125D8A9ADCA415BA3753D64CAD2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191719Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.282{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F8E-6323-1A01-000000007602}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191718Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.282{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191717Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.282{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191716Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.282{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191715Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.282{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191714Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.282{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4F8E-6323-1A01-000000007602}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191713Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.282{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F8E-6323-1A01-000000007602}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191712Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:10.282{E743DC12-4F8E-6323-1A01-000000007602}2384C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000351846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:11.889{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15DEDC8981FC3CCFB1FEAD9D9D74C228,SHA256=1DF8E3D8B6A66FDCB6AA48DA98DF09376346E4B38F763BAA7532CC7B173260A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191739Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:11.515{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4F8F-6323-1C01-000000007602}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191738Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:11.515{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191737Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:11.515{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191736Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:11.515{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191735Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:11.515{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191734Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:11.515{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4F8F-6323-1C01-000000007602}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191733Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:11.515{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4F8F-6323-1C01-000000007602}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191732Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:11.516{E743DC12-4F8F-6323-1C01-000000007602}5000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191731Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:11.464{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AD40B44EAA0C9B4CA52011BB254E42,SHA256=BE4E6A1DAB20AF418677DED329E6DA2CCA89E1ED0E9B5359CCE4C018F924BCE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191730Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:11.162{E743DC12-4F8E-6323-1B01-000000007602}4896524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191741Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:12.553{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A05FB809CB5A30193BEDE623008D59,SHA256=5ACC230C5DE67F760544A2ECCF4ABD8BB54EAECDBBF71C244640AE1C8BAFDFC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191740Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:12.392{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=343EA2E9E0C1D0E4368EC052E0B3A7F0,SHA256=5D7C54055D87A037E2B4FC3FFDDA80707E0DA8F8A7FC5C13875A8FA0F3681D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191742Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:13.653{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CE52537A30F5343E5224F97F51EA3F,SHA256=57040658389A3FFC8C7508A20D0DC8BD8DFF46F13766B6F012E71B279D090B0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:11.293{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63616-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:13.006{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55DB8CDA7FAAE3B0AF1FF6413E80E410,SHA256=CD88AEE4597165E7CDDF6465B9786D461F3FF4E795C417E8064F2ED1734947BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191744Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:14.748{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA59EBA0C6DD0243F1434F02561FDEAE,SHA256=FF7F2B9F566987730921EFB332A2CD2E787F5E66FEF743CD1A215B7EDDA78126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:14.125{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07E7F3F4D05A1095CB9F479CE55691B5,SHA256=E4C791C72E025DE69845019CBD2CE51A8BBCA4BE262A1798075CC2C73D8D1DFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191743Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:12.445{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49932-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191745Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:15.849{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=214B63F5C9F4C56BD2549FFE4BE5FC33,SHA256=1AC8304B1AC0CC87EDB60E159E6F0FF45F2A07BF02E9EEE91BEDF03F34094238,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:15.228{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85E59BD2558C9A88DA41209FCFAFFF0A,SHA256=FCA43AEC6AFD22464CA5A31071802CC11E38AF4B5375A42AC7D9D1074E3E15BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:15.142{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191746Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:16.938{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AADE940216CC3758742795E7FF7B6B,SHA256=065377E26325ABCF4AA156A0CD0F22347DB13258AD27D599A5CA17869B56ECF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:16.243{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38DCD787A53E528A93BF7C90649F57C5,SHA256=C66F41F0FCF657799B20381679940758CC9388E7A283B6F8C18ECFFAE0AC7A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:17.378{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F2BBFB9B4CE21527AE6907F2CBCE15,SHA256=ED93E2280B9E5D16FEB82A4DE234D8CB7B5B75397E47A813EF1D6EDF2AFFA8B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000351855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:16.435{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63617-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000351854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:18.495{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A3711BAAEA3B23ED6F497331281FBD2,SHA256=EFEDE6E2B73B136D02EF97C3338898E7C2BEBF225CA3A55DB02F27CFE658BB23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191747Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:18.038{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB844E75756566666835B983774B392,SHA256=19A5EB00E2CED8F4AD88640A1424F0BBC4FBD57720177A08197C61BAE9173ACA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.706{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.705{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.701{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000351877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.662{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15B9E080E66F4DE227930E024D2B646,SHA256=6C50BAF927FEB49DB7D044FC6FA7A651591230DC3D59608523BB3380E5F0AC8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191748Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:19.131{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3BC48FB861C9FA73156776D3A41D655,SHA256=0F348FE96DA9545C26DDA74B5BD311048F1414FDAC3E8C80A77DAD42C778391A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.347{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.342{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.336{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.325{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.318{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.315{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.313{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.312{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.303{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.278{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.272{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.267{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.258{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.250{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.243{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.233{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.218{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.210{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.203{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.163{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:19.161{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000351881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:20.752{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8DFDDC49317A275D42ED81EA61EFA3A,SHA256=F19A949858E2CD344567AF9DD6465E567B0CFF76E446CABDDCD0048BEBF2AF55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191751Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:20.855{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191750Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:18.475{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49933-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191749Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:20.223{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEB29CDA80A3EB09407C5A4D3E3A9974,SHA256=773B40FFEF3884EFCE8849FA217DB71FF9A18A6E450D421F7A29D12CB41412F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.833{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=389BF9615A567FFF68ED7E9BCAD5B765,SHA256=96CD553427AD00616F8028C3A24A379461EFAFC1E99AB65EE527EFFEEDF98B0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191752Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:21.328{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EF7A781D4735C0E93D916EAC908D6F1,SHA256=A7D6571B421A37FBF7FC81CBFC68AA3AA9103C9978DFC8663D24CBBDE4E4BA4C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.754{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.752{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.749{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.733{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.730{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.723{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 734700x8000000000000000351888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.633{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000351887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.631{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000351886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.630{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000351885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.627{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000351884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.626{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000351883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.626{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000351882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:21.623{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000191754Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:20.064{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49934-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000191753Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:22.422{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A470A7AEF39F065F6598C7E8BCACD156,SHA256=F046873DD2FFAB91B83817A7AC095DED3772AE08A87B36A8F708DDCBD8E71E4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000351924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.428{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.422{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.419{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.416{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.414{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.409{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.406{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.405{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.401{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.398{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.396{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.389{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.378{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.372{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.366{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.353{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.316{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.309{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.299{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.291{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.284{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.282{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.280{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.278{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.276{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.272{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.271{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.269{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000351896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.269{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000191763Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:23.992{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191762Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:23.978{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191761Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:23.970{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191760Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:23.960{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191759Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:23.947{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191758Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:23.940{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191757Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:23.932{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191756Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:23.930{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000191755Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:23.530{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58CEE8D5B845D6D34B60351CB46C0E0D,SHA256=608489D4B633A48B526B2E7EFD086435483F18CF4495C09257FBBDE7F94FA4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.954{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000351977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.874{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1448FE7818CD0566F8F683954652A198,SHA256=2732307583DB1448DA13C169A9A400DA1062048F0BFA261E4907335D256EBEF9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000351976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.684{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000351975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.669{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000351974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.669{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000351973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.515{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000351972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.515{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000351971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.515{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000351970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.515{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000351969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.515{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000351968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.515{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000351967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.515{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000351966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.515{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000351965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000351964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000351963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000351962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000351961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000351960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000351959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000351958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000351957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000351956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000351954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000351953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000351952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000351951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000351950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000351949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000351948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000351947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000351946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000351945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000351944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000351943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000351942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000351941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000351940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000351939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000351938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 10341000x8000000000000000351937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000351935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000351934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000351932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000351927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.500{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000351926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.501{6820D070-4F9B-6323-7001-000000007502}6412C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000351925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.015{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=716D970A5888C9F223D2755C5F952D11,SHA256=8910C66C93C0972C8D07FC079F26125A08627E41F278A106544C86D7292B9DA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191792Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.918{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF4549938CFBBC96E06CB45BC290E8B6,SHA256=2F9F8901194B5932998DB26B220C687643A7A945C7B7B71E1BCE1979DCE5ADA9,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000352093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.951{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000352092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.936{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000352091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.936{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 10341000x8000000000000000352090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.896{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.896{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.896{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.895{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.895{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.895{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000352084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.803{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CB5DC7B92484A2664D4F01820B3248A,SHA256=B081AF08EA7589C039F454C1BA13988243C56351247ED9BEDFF5A5BE990F4E13,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000352083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.745{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000352082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.744{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000352081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.742{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000352080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.741{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000352079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.739{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000352078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.739{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000352077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.736{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000352076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.736{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000352075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000352074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000352073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000352072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000352071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000352070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000352069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000352068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000352067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000352066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000352065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000352064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000352063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000352062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000352061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000352060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000352059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000352058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000352057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000352056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000352055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000352054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000352053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000352052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000352051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000352049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000352048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000352047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000352046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000352045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000352044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000352043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000352041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000352040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000352039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191791Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.177{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191790Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.167{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191789Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.146{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191788Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.141{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191787Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.134{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191786Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.130{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191785Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.128{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191784Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.126{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191783Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.124{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191782Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.121{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191781Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.117{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191780Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.116{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191779Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.114{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191778Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.113{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191777Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.112{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191776Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.111{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191775Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.108{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191774Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.104{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191773Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.100{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191772Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.097{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191771Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.091{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191770Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.085{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191769Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.061{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191768Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.059{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191767Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.045{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191766Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.020{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191765Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.013{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000191764Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:24.004{E743DC12-4AD0-6323-1D00-000000007602}19442492C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 734700x8000000000000000352037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000352036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000352033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.717{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000352032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.718{6820D070-4F9C-6323-7201-000000007502}9096C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000352031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.570{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C01C1811E7B7134F35E319F89F63AAB6,SHA256=63CE737C931766C36C6BF93B830A6E0C4D563319BF3D7DC2E36C197AD03E7341,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000352030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.336{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000352029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.336{6820D070-4F9C-6323-7101-000000007502}1019610132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.336{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000352027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.336{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000352026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.135{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000352025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.135{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000352024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.135{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000352023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.135{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000352022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.135{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000352021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.135{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000352020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.135{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000352019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.135{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000352018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000352017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000352016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000352015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000352014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000352013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000352012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000352011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000352010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000352009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000352008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000352006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000352005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000352004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000352003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000352002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000352001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000352000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000351999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000351998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000351997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000351996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000351995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000351994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000351993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000351992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000351991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000351990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000351989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000351988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000351987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000351986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000351982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000351981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000351980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.120{6820D070-4F9C-6323-7101-000000007502}10196C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000351979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:24.116{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38E707041391FD5EA033F4FFF305643,SHA256=D0B79B4F0C1F469C513A45EAE280D7B4E0C1E82495187D40420C053293D8BC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191794Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:25.939{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0403054F75EA47D87EE00F846DE5FE,SHA256=279B3CAB909ACCCBBB275AAD8761E0737C92FF69F72E3861A42D56F5B48CCCBA,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000352195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.954{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000352194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.954{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000352193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.954{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000352192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.954{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000352191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.951{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000352190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.951{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000352189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.951{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000352188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.951{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000352187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.951{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000352186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000352185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000352184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000352183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000352182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000352181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000352180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000352179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000352178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000352177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000352176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000352175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000352174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000352173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000352172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000352171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000352170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000352169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000352168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000352167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000352166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000352165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000352164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000352163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000352162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000352161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000352159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000352157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000352156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000352154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000352149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.935{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000352148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.936{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000352147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.570{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000352146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.570{6820D070-4F9D-6323-7301-000000007502}74327500C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.554{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000352144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.554{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000352143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.386{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000352142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.386{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000352141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.386{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000352140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.386{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000352139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.386{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000352138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.386{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000352137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.386{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000352136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.386{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000352135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.370{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000352134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.370{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000352133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.370{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000352132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000352131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000352130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000352129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000352128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000352127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000352125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000352124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000352123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000352122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000352121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000352120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000352119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000352118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000352117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000352116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000352115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000352114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000352113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000352112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000352111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000352110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000352109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000352108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000352107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000352105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000352104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000352102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000352097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000352096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4F9D-6323-7301-000000007502}7432C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000352095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.354{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=683429D407EF548D6606EBD89B06AA8D,SHA256=D980F24D65BF590679F9E6C0E7225DCE18F21F5DCF8D102295074F88D8C7D78E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191793Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:23.492{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49935-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000352094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:22.408{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63618-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000352253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.741{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=95F9F8ED7AF3DC056A9686765DA48316,SHA256=682C609EABDCF874C4D28CAB44F48C835CE51000DF505B23DA3E64039AF98FF4,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000352252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.606{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000352251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.606{6820D070-4F9E-6323-7501-000000007502}740810096C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.606{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000352249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.606{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000352248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.470{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000352247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.470{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000352246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.470{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000352245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.470{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000352244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.470{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000352243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.470{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000352242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000352241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000352240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000352239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000352238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000352237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000352236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000352235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000352234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000352233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000352232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000352230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000352229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000352228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000352227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000352226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000352225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000352224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000352223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000352222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000352221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000352220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000352219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000352218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000352217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000352216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000352215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000352214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000352213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000352211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000352210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000352208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000352203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000352202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4F9E-6323-7501-000000007502}7408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000352201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.455{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8DB0525BDB8D91E0F1D8B7AD34C5B8,SHA256=8A4577ECF798D36528B5332785C4AE34DAC85AADB2DCDAFDAB1D2917043ED388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.154{6820D070-4F9D-6323-7401-000000007502}76087404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.154{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000352198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.154{6820D070-4F9D-6323-7401-000000007502}7608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000352197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:26.117{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A41A5E91189A56E3E96A038288DB81F9,SHA256=55602408638D2037EF8C77E29C4218B800503E9584421FD1084C2342C7B80CAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000352196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:23.139{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63619-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000352306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.558{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18230CB55210142455858BCAAC5699D2,SHA256=5484C532E6FE08DA8141E27B36D45E466006E2ABE9ADD4A7679311E2905331FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191795Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:27.040{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B57366E0757BC3CAE7787F9D9C23B34D,SHA256=F4A199A37F813CBE0C53BB46B796CD6AA87E7A19FA65C0106082231E871FC767,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000352305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.243{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000352304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.243{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000352303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.243{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000352302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.198{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8988F4AEA435C04424FE710BDB7AD169,SHA256=372E90C25BDA7368D4B9F38675E3C54E351CF2FB2EDF21053BFEA44E1151424F,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000352301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.077{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000352300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.077{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000352299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.077{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000352298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.077{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000352297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.077{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000352296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.077{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000352295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.077{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000352294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000352293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000352292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000352291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000352290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000352289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000352288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000352287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000352286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000352285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000352284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000352283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000352282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000352281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000352280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000352279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000352278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000352277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000352276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000352275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000352274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000352273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000352272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000352271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000352270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000352269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000352268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000352267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000352265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000352263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000352262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.061{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000352260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.058{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.058{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.058{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.058{6820D070-4AD1-6323-0C00-000000007502}828940C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.058{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000352255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.058{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000352254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:27.059{6820D070-4F9F-6323-7601-000000007502}7856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000352309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:28.661{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F122616E0A4CE16E3AD16AD339EDEFCC,SHA256=DCF2840B8BBE8B1B474AEB76F18A906A955A23F79F3D422D625D48790EA94B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191796Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:28.132{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76936827CEC548E238613D5178A07297,SHA256=B2E9A7DCEB71F4C5645B04943944F5F0149E8A0633D85322F03BBD92F64A8142,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000352308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.859{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63620-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000352307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:25.859{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63620-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000352310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:29.778{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AE2599F227CF564F368311AC358150C,SHA256=789F75EBC9680131E0A0684311E694F5EBCB5B37356E7990500B42A1EF6C70B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191798Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:29.219{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7195F784483DA4D0516268EF3CBB223E,SHA256=81250F0EDA1285C3BA567B6BD7C10572D6D0369E3F0E3E8EEF35E9601BA06B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191797Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:29.109{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915155459-019MD5=36EB26F9EED14D2A649109B5B0D3FC1A,SHA256=D5225DBB467937E991D5678F78067E4612BF477D9EC2143F1C43E71004CE921E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:30.794{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AD73FC263A05A831CD6F9CD5B2CD53A,SHA256=C05DCEFCA42CC16F4F5FF7CF871E28E62071EE547D12D98F79965171D8C2AE32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191800Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:30.303{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE0ECB381B1800080B64A2CE4B28E869,SHA256=0C528D334C2D26EBCC60ECDE4C75B888DEAF64D52866A5248F7F81ADE56B0359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191799Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:30.108{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915155457-020MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:31.878{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83D793038BACE8CA631C99D644A7D081,SHA256=994D21F35E597E8084688BDA62203A9972E522EF412C41AF7915B28DEB6558D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191802Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:29.482{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49936-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191801Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:31.411{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C87678BDAC50AA43B3C8D6A14598B3,SHA256=2D80998793543222E72D64CBD56D5EAD558CF0FA7B0214469443F56CD221AADF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000352312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:28.417{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63621-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000352314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:32.950{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF0460D4591AA5417744C791E6059B2,SHA256=C700413BE2587275D7C535C27C38FCFC554032D0D3A017848B5888454FE9DCC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191803Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:32.503{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8796F2424D2E55696BEE7B93CCF55B2F,SHA256=0E8F2F7FC5F7F2FF98858E321C4C55039724FC5B047CE01D1E82F2C0BB38D4BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191804Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:33.824{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93D2891B06606F2794FC746DC69F6A36,SHA256=64E5A4CCC492F39F82F7C698D4A49184E3EF97F7F65A26867F65068F6101F65D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191805Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:34.924{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=344639934463FFC80E770F646D190586,SHA256=9CD5F456C5A1F7A1CE42CB1A50DA65D69099F020DE2E54CD8B778E11F6912706,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:34.080{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=427B401A0BC5D82E9DB493ED5313A7CB,SHA256=DC9121D7155E0F2FFB23E039DF9940FC0B8CE6E69D97E5CA446B8AB62531DA0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:35.169{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CD077C07A683771A5D69E4B907D51F,SHA256=E223033471220787D77FAA5504D495AD5FB03D73A3C41CFBF4CFE038A6052412,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:36.805{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000352318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:33.419{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63622-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000352317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:36.255{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78D66B66BD3AC9BB04553835C1C88951,SHA256=5C9BF141BB4EF14EAFD26BCE4D89009C5AFB21C0906CE696B4FA612530C3C4BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191806Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:36.013{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0BFA3CA453DD309FF8D9B55F9E1E4FF,SHA256=EB26D7C82A4FB8A4CCCA20AC8897FAF40E77E92C814FE91E78C20D3B15CBDD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:37.355{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC38C07A3CFF88768530AC0A20A3926D,SHA256=CC6137CD543DD8D58B69C693E127CEA7177716832FD0753A3A65F1CB65155BA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191808Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:35.393{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49937-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191807Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:37.130{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51AF206C5D8BAA5BC27F9E152C8EDB94,SHA256=DE95C064D6A215044CDE86C6065595626481289B1EBE5DDB33645668F5FA43B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:38.471{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7E695F32AD3BD2DB40EFF3A6833392C,SHA256=3E63197AE38B3D03292B86A9A25CE78CCD3E44FA7A0979AFA4E10DC369C4D70A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191809Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:38.216{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3613FEAEC1A0FD8B8B2FA7761A929AAD,SHA256=50CC93A642256029C774586EA49C029FCE7B2784C932D3D04089BFBAAF34A878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191810Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:39.300{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=684089D8157F70669896087094B291BD,SHA256=0EB2C19CE01C4C68E9B8D540F0DC63FB10FE04E52577985353E831C730FBDB6D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.948{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.947{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.938{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000352346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.566{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F5D5BDA08161A3595378E39F5FD3D91,SHA256=80CB221E1C63AC2C14C4AB6BF8EB1F9FDE8BC437D8AE5E0E1FB4A16DA9B36034,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.415{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.406{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.396{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.368{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.356{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.352{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.350{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.346{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.324{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.291{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.284{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.277{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.267{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.254{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.245{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.245{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4AB3-6323-0100-000000007502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 10341000x8000000000000000352329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.230{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.222{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.213{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.199{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.152{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.149{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.144{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.131{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191811Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:40.403{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9147998D5A9578CE5C26C58104C54E88,SHA256=81F84234C4D1A21908AD95AC91B287198E6D97AA0EA538497A788EB6EE346DC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:40.622{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015CBB45178C32100B9678168B8049D1,SHA256=EE2C2051BB2FE983696071961C339B4109A48F202487F99D1075FAD1D5F3C884,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000352356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:38.429{6820D070-4AB3-6323-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63625-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000352355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:38.429{6820D070-4AB3-6323-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63625-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000352354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:38.332{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63624-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000352353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:38.332{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63624-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000352352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:38.322{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63623-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000352351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:38.322{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63623-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000352350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:40.306{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4198F6BE9AB85517C300DAE4EEB56B7B,SHA256=E9659B076900F805D4884FD68430C6F1CC72648E9F56CD148AA0E370D82AB06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191813Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:41.509{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=349DA2D2709E368B912BCFE883122F3D,SHA256=A702157C09260CAC91A393C9ED194C452FB00FE2A15E2EC807DE03451CFB359F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191812Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:41.509{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7635D4F965148FDC15609464F3F93F8,SHA256=B6863FD0DAC56F107033C001479A59B315481666338ED8DF760AC3E0D03DCC0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:41.968{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:41.966{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:41.963{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:41.961{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:41.959{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:41.956{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 23542300x8000000000000000352359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:41.709{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D51EDB5C1777B558BE553A8EF8CF48C,SHA256=ED0F9EBC81C2EFFE87F39A6A31DF706BA961B62A4C69E3A10BA1F0D6B4A38E9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:41.040{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000352395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.863{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0E229D8EBA75E759903C454B42901B3,SHA256=19517EF804F00F7DE345CBF6C2357993316C5BCA558EEE4EB2956ACC77B60B03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191814Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:42.595{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C83F3BFAD9083CDCAB61194EB8887D0,SHA256=4115994B14B4870CD5F0CF84758C2A0809D5C4512EA34D38E8B308D04AE4AD0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.682{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.677{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.675{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.672{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.661{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.656{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.650{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.648{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.640{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.637{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.634{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.612{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.584{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.576{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.548{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.518{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.512{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.503{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.497{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.495{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.493{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.490{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.487{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.485{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.481{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.480{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.478{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 10341000x8000000000000000352367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:42.477{6820D070-4ADF-6323-2A00-000000007502}26163660C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012D04850) 354300x8000000000000000352366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:39.362{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63626-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000191823Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:43.987{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191822Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:43.981{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191821Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:43.970{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191820Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:43.957{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191819Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:43.948{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191818Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:43.940{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191817Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:43.938{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000191816Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:43.913{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE3CA98BFA4E1DAF7CEC1C897B725BA7,SHA256=A4DD29A2C147A3D0BCEF1852AE01097A0BCF5EDF99938396ACAD592752456CD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:43.833{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915155514-019MD5=3EE9864ACDFFE78A8B2E0DEDF704C720,SHA256=3E9075B80C33CFA58EAF977E4450D367AD693E429428DFB55B91DE7FD240E49F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191815Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:40.469{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49938-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000352400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:44.831{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915155511-020MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:44.780{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:44.780{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000352397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:43.998{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C46BEE5407B283CD600399959FA0BAA,SHA256=6438E7E4F2150E827D51C87837163158FB43DE44132EC3C600DA86AC062A2B06,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191852Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.192{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191851Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.179{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191850Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.161{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191849Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.156{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191848Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.148{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191847Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.144{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191846Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.142{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191845Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.140{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191844Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.138{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191843Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.136{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191842Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.132{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191841Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.132{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191840Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.130{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191839Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.129{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191838Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.128{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191837Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.126{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191836Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.123{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191835Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.119{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191834Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.116{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191833Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.110{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191832Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.105{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191831Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.097{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191830Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.080{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191829Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.077{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191828Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.066{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191827Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.041{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191826Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.031{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191825Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.017{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000191824Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:44.008{E743DC12-4AD0-6323-1D00-000000007602}19442500C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 13241300x8000000000000000352406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:15:45.884{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\8540D214-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_8540D214-0000-0000-0000-100000000000.XML 13241300x8000000000000000352405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:15:45.865{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BDD44E51-425D-47BA-BA16-AF37623148D4\Config SourceDWORD (0x00000001) 13241300x8000000000000000352404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:15:45.865{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\BDD44E51-425D-47BA-BA16-AF37623148D4\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_BDD44E51-425D-47BA-BA16-AF37623148D4.XML 10341000x8000000000000000352403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:45.864{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:45.864{6820D070-4ACF-6323-0B00-000000007502}620744C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000352401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:45.087{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263D846F908B1313C221FE008014659A,SHA256=331361F6EEF01F11334607C377C4224A958A965495AEAA72B559CBD7D34FE891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191853Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:45.137{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E07E14D9C59538AA3F075E93E2CC5B,SHA256=B47038243633F754D1D775402AC9D0A42AB7BD624380528EEEF185C55209EBE1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:46.847{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:46.847{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:46.847{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:46.716{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:46.716{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:46.716{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000352407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:46.400{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=596F61DF37B4D728CFFD0A5DC10EC8B4,SHA256=9F1060888EF99E574623EA177D39EFAEEFC44A5BDBDAA32BCD822B13C9FCF13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191854Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:46.205{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD8D893A2FFDC5F8A5642417597BC19,SHA256=EDA1C961E93E12336DEF26876D6DB7A508052FA7B1FE504A93A0A47EE5621F30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:47.785{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=973962B0A65198AEA8FC8F84293C8708,SHA256=3DDF4DE45879914C615BE9D340AD3516B53D28A9B1140A8030ED6C349302983A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:47.716{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:47.716{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:47.548{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:47.548{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:47.548{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000352416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:47.485{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E61A2E66F5F9DAD9E88A1CF08CCCBD06,SHA256=A93A3648D038A2B850A6CCDED73F6F6D15B0D8B803C3D44F5D4004A6B01BBC39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191855Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:47.307{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442185FEFF58432A54F604F59CE5A389,SHA256=FD311CA2C5123B3014F8B7DA61A518B54E1F8211F94C496C0CB8DAE0224489F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000352415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:45.053{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63627-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 354300x8000000000000000352414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:45.053{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local63627-truefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local135epmap 23542300x8000000000000000352428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:48.616{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665BD3501B9FC31E9EB36994724E2A4A,SHA256=84CE901BE4D4BD5D2DCC0110FE57B3646CED426FAEAB7FB996343386E8F83F20,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191857Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:46.386{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49939-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191856Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:48.404{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7D4366D200E04CB0EA040BB7B8F616,SHA256=B07E576E357E17EF21B23123E61984FA95AAE1B9C7D3B6DCA8C56ABD2B01A573,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000352427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:45.913{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64172- 354300x8000000000000000352426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:45.912{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63064- 354300x8000000000000000352425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:45.903{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63629-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000352424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:45.903{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63629-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000352423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:45.369{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63628-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000352431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:49.718{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BDD06170EAA329353D028AF5EA477ACE,SHA256=989851F21194E87480ED9B5F5FB250A71C947D19395316CC29E334518608CAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191858Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:49.511{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F22A5AAC5110FFA879C3F542E16A535B,SHA256=BCCEBDB0E1C5311BA55AA21610B45567567858E3E8DEF8700E4FDFA8B7DD3274,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000352430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:46.735{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63630-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000352429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:46.735{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63630-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000352433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:50.802{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36C7AB701B67204513D70B7010464456,SHA256=1929F16F3F7A63E824946B6B62C4A04102297F3F5BC2DE498DCFCB487C72D07D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191859Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:50.602{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A83200CF374785D6E3CDBF0FE4E356,SHA256=41F43047CD255509BD270EAFD9ECAC47591A1C9C3C96215A56C34EE25793BD23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:50.083{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000352434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:51.834{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CCC6B6F4D88E2C8C3D7510915C1E355,SHA256=9B6EE5A6E9CA0540475099803CC4D2D3429276585044C47BB3B52045E14D4145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191860Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:51.685{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44AFACC630243F3140C167FDCE551B08,SHA256=EDC1CFCA0DB6770ED1ACB64A15137E493C711A530F3016F9624FB7AA1149427C,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000352437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:52.970{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\chartv.dll10.0.14393.447 (rs1_release_inmarket.161102-0100)Chart ViewMicrosoft® Windows® Operating SystemMicrosoft Corporationchartv.dllMD5=A503F84DE81A3F559BB7620764EC843E,SHA256=E43FE5BAD0D27AD9A4F8387C6926C11EBCB895272AD45F7F3A1CCF221EC85EC4,IMPHASH=9F006C4CB45C8FA41AB914F6D399701DtrueMicrosoft WindowsValid 10341000x8000000000000000352436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:52.988{6820D070-4AD1-6323-1600-000000007502}12922096C:\Windows\System32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000352435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:52.920{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDE31559F1636670B6BA9C657FA805BF,SHA256=2FD4DFCADFB9E9FA32B0567417F4578733CF842B5CF842FEE47527BE5CD62A38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191861Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:52.899{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CCB40DDCF5431714E9B7EEBD0F8E54,SHA256=10E134E85BB99E379288655E62BEC7C510E7A4959027615F9C7627ED0A83DA0D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000352440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:51.253{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63631-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000352439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:53.035{6820D070-4B7E-6323-9200-000000007502}45764716C:\Windows\system32\taskhostw.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:52.988{6820D070-4B7E-6323-9200-000000007502}45764716C:\Windows\system32\taskhostw.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000352441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:54.035{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7B1815C74CCB036C8A243F2154D799,SHA256=A8660957509B8A098CEA5568BF198CAD3B0412D8D4AADAA4F742B07F6DF92E8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191863Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:51.404{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49940-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191862Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:54.084{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB50D015694F41725BA3BAE813D847B0,SHA256=52220C7E429A3C6FCEEBCABA7BED31254ADAE967B31C5A008512D274A1D73C56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191864Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:55.283{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A29A8E6F928E7FB1165D071ED091892,SHA256=643CC6C5B533C4941CF5EDD7A878FDD2409EF0CD4183DEA1328BCF3418150894,IMPHASH=00000000000000000000000000000000falsetrue 17141700x8000000000000000352444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-CreatePipe2022-09-15 16:15:55.589{6820D070-4B7F-6323-9900-000000007502}2972\UIA_PIPE_2972_000073d1C:\Windows\Explorer.EXE 10341000x8000000000000000352443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:55.470{6820D070-4B7E-6323-9200-000000007502}45764716C:\Windows\system32\taskhostw.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000352442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:55.089{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E98E76E7CC7F3B30FB4D141ACB784604,SHA256=4FFE73F0AD00C70B2595020EBB2F53F7D8D45024870111ED45B8D0367CC22D52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191865Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:56.491{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=025995A083CA10AFAE723667018A8F0E,SHA256=AC5C07770DCA74439DB78B86FABE355BCEAC975B0EAACA240700E0543C94CB6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:56.187{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C563BB4F7B83C12937A4452E15CCA926,SHA256=67D24C565345C57A767D3236107412983C2B9533A3E94961E8A89DB3A79010DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191867Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:57.694{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F027A5BDA46BC8E59FD1F86AA9A9516E,SHA256=F69A2CA541FD3C88166575240117ACE923066DFC8076BC0D4A09E264DEC20BB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:57.286{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4659EC7506D43556C8DB498C4EEC91F8,SHA256=CE78C9737D8E9DC1F0618C07F0AF861150FE391B05D7D514B72472995C06599C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191866Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:57.419{E743DC12-4AD0-6323-1100-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D3F5100220BD30244B17D1AB497E569A,SHA256=F681FA1F5C632D36D58593942DAA2C6CD39373F89A723A26CDD1C9FEFF7CD665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:57.186{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=6CF1023BF60EA9D24095A49DADD6EA58,SHA256=8DBC20BDC17C14AE6A25F26E6F0407B9FA7DDE59D1C5860DDEC2558C413E701C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191868Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:58.911{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AF2DEBED830B969786F294CF7AC13A,SHA256=C00B611E6C09BBC834AAFC917982F139BC8CEBA1F593EC6358889000C4DE1BC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:58.853{6820D070-4AD1-6323-1100-000000007502}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=1169CC4B32E4E07F36578901AEFDE04E,SHA256=DE81228EDB025CFFB771AC38BEF3ED186BC062E8E644B158CB4650505153A1B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000352449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:56.409{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63632-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000352448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:58.388{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2D6ACD83EF2A39610D0ACF6A47D4EE7,SHA256=5BCBE80B116FE4D74DF08BDB1019694CD2693E343B649919D6A639FB363E6C75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.949{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.947{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.943{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.491{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.474{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.456{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.442{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000352471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.435{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=801BC592F3F2E889E6DBDB7E33706A45,SHA256=F90C3D03FFC5AA7BF3F31C39D33B9A64EA6283872880C449E73232084F5E9677,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.424{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.421{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.419{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.416{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.404{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 354300x8000000000000000191869Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:15:57.276{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49941-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000352465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.352{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.337{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.326{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.298{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.277{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.270{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.256{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.249{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.237{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.223{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 11241100x8000000000000000352455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.203{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 16:15:59.201 23542300x8000000000000000352454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.202{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txtMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000352453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.201{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\SiteSecurityServiceState-1.txt2022-09-15 16:15:59.201 10341000x8000000000000000352452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.174{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:15:59.167{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 734700x8000000000000000352483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:00.577{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\System32\wpdshext.dll10.0.14393.4169 (rs1_release.210107-1130)Portable Devices Shell ExtensionMicrosoft® Windows® Operating SystemMicrosoft CorporationWpdShExt.dllMD5=CEB555E9099888316A1E2ADE83BA82BF,SHA256=4110FFD5F08100D1F6E1005E2907460E40B3221A0833B821BE291657416E89F0,IMPHASH=60006258D4DE87B31BEDA805A8CC8040trueMicrosoft WindowsValid 23542300x8000000000000000352482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:00.466{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F0F8299BF8434319F564BAC22C0DFC,SHA256=A724D31A46BF9B9974FE1D60D7319539C0D9ABBA3A7DF79D94BDC84D685D967D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191870Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:00.008{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E59F5C30ED36ACF2BA1E17227BB62D3,SHA256=187EA9321E468043FED0A8B7C072564859BAC034C5367A2C9466288124F8C958,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:00.326{6820D070-4B7F-6323-9900-000000007502}29724976C:\Windows\Explorer.EXE{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8013285BCD8)|UNKNOWN(FFFFD9E122A77E08)|UNKNOWN(FFFFD9E122A77F87)|UNKNOWN(FFFFD9E122A72611)|UNKNOWN(FFFFD9E122A73FDA)|UNKNOWN(FFFFD9E122A72296)|UNKNOWN(FFFFF80132571503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000352480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:00.326{6820D070-4B7F-6323-9900-000000007502}29724976C:\Windows\Explorer.EXE{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8013285BCD8)|UNKNOWN(FFFFD9E122A77E08)|UNKNOWN(FFFFD9E122A77F87)|UNKNOWN(FFFFD9E122A72611)|UNKNOWN(FFFFD9E122A73FDA)|UNKNOWN(FFFFD9E122A72296)|UNKNOWN(FFFFF80132571503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000352479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:00.326{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF13f64a.TMPMD5=AE83E3D1BED7E22F099EC37882555B7F,SHA256=19C20C1DAA5B1C1F7E9A0561569A10ABB7DBF1B544D26F74C2B5990D9C688508,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.981{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.979{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.970{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.967{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.964{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.962{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 13241300x8000000000000000352496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:16:01.915{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8c91e-0x72c52d56) 23542300x8000000000000000352495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.521{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83740C79440E93BE0E3EE77FD166EAF1,SHA256=488B8A517265F2882159FFBF74D0189DBEBC51D980C50760AD44BCEA105282D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.469{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.469{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.469{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.469{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.469{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.466{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.466{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000191871Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:01.114{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D3EEC9466408E2BF50641E117A0E04,SHA256=BA886095D0443917DD083835C3791B0D2F4E68ED56710CDF35C586C79D580CA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.466{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.466{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.463{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:01.463{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.647{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.644{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.640{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.637{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.634{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.628{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.624{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.622{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.619{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.615{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.614{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.605{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.584{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.577{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000352517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.573{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC220058B3FAE7679202DF036EAD20D9,SHA256=25F1683B35AF8FFEEA530A531111425FA392A6C26A1C433EC318B2DB41EFB6D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.567{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.537{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.531{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.522{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.518{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.516{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.514{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.512{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.509{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.508{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.502{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.502{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.499{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000352503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.499{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000191872Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:02.322{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83117312B5E9E05E62478751ECA9009D,SHA256=EB31E09B5902329007CA4A52D1E87E7149F61D58CD796A295DAAF0A39FC2903A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:03.750{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F28A197C7597D431132245D058048F,SHA256=4C84412AFDDEB68ED641B6303B8502E258D6C70E3974A1FE837552E55B7EA6F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191875Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:03.998{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191874Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:03.980{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000191873Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:03.417{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0FD8CE4B08A27EA632361354BD45368,SHA256=439875182468DADA6A37C0BBE7ED8CE899A45F694263208CAAA84BE0A1D48806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.788{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D883C1A424537DE6558B241957E92D34,SHA256=62B28EA973CE36C4B02938883B4C1BBDE804141D2C25835BD721CC2CF4092FC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.788{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.788{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.788{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.788{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.787{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.787{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.787{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.787{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.786{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.786{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.786{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.786{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.786{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.786{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.786{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.786{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.786{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.786{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.785{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.785{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.785{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.785{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.785{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.785{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.785{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.785{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.785{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.785{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:04.785{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191911Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.779{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFC9B50F0549C5F5750CD31243D0B884,SHA256=B064497686D93CD1DB212AD8C0BAE46872E8180F01D63594EB80A6D6A0DB8371,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191910Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:02.495{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49942-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000352533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:02.351{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63633-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000191909Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.245{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191908Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.237{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191907Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.224{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191906Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.219{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191905Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.213{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191904Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.209{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191903Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.207{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191902Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.205{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191901Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.202{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191900Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.201{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191899Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.196{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191898Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.196{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191897Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.194{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191896Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.193{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191895Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.192{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191894Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.190{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191893Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.187{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191892Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.183{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191891Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.181{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191890Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.176{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191889Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.166{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191888Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.160{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191887Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.145{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191886Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.144{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191885Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.135{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191884Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.116{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191883Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.111{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191882Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.105{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191881Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.097{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191880Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.071{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191879Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.064{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191878Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.047{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191877Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.033{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000191876Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:04.011{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000352564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:05.990{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67AF8ECA6E9425ED558B5D6C3302EBA,SHA256=6BDB1A5CFEC386D782DABB1A7EF70E7BC05750EADAE306428EE985C0782EB30E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191912Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:05.802{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE3CBB391103FD0F9C52322D4531BC3A,SHA256=0E2F414A868C4406A616A766760867C482710FC1E4B2E850CAAB6BCF1904CA19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191914Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:06.904{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDB97C6F3E39A23D2BA693D081B9391,SHA256=2BFA2F81EADB32AD23348FCDC8A05A0FC818C5B42B69A1F5E8FB56C6A97D8DFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:06.312{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:06.312{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191913Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:06.291{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1D00-000000007602}1944C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191922Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:07.674{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4FC7-6323-1D01-000000007602}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191921Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:07.674{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191920Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:07.674{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191919Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:07.674{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191918Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:07.674{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191917Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:07.674{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4FC7-6323-1D01-000000007602}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191916Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:07.674{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4FC7-6323-1D01-000000007602}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191915Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:07.674{E743DC12-4FC7-6323-1D01-000000007602}4876C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000352567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:07.094{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E71A27262491E2FBFDFC593ED2730662,SHA256=A9EDC4BE4968778328FD9ECAE00738BF2EE128E37C59B6A5BB58949C539B563F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191941Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.840{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4FC8-6323-1F01-000000007602}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191940Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.840{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191939Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.840{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191938Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.840{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191937Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.840{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191936Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.840{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4FC8-6323-1F01-000000007602}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191935Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.840{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4FC8-6323-1F01-000000007602}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191934Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.841{E743DC12-4FC8-6323-1F01-000000007602}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191933Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.762{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=10A9069828BEAAD67350944E25D3F318,SHA256=64862AD1124151886CD730F886E63DC99B39AE3619418829D1844A0F4673DCE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191932Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.512{E743DC12-4FC8-6323-1E01-000000007602}37324796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191931Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.347{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4FC8-6323-1E01-000000007602}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191930Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.347{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191929Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.347{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191928Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.347{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191927Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.347{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191926Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.347{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-4FC8-6323-1E01-000000007602}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191925Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.347{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4FC8-6323-1E01-000000007602}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191924Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.348{E743DC12-4FC8-6323-1E01-000000007602}3732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191923Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.113{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=896C626C251B2608D222A1FD51DE4E7F,SHA256=E2A58617C474C51CA0BF5FA39455B2DCE838904C325C0507F88E26F608CFDCA6,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000352631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.918{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\System32\cmd.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000352630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.900{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll6.10 (rs1_release.210107-1130)User Experience Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationcomctl32.DLLMD5=FD486B6FA360ABE43E02E85F3164E9BE,SHA256=733922A216EC03FC6AA405205CD2F8BB81A39180F26839588B97F310E21071B5,IMPHASH=C3F4A4DA2950075F09DD008B60FF567CtrueMicrosoft WindowsValid 10341000x8000000000000000352629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.918{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.918{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.918{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.915{6820D070-4B7E-6323-9200-000000007502}45764716C:\Windows\system32\taskhostw.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.915{6820D070-4B7E-6323-9200-000000007502}45764716C:\Windows\system32\taskhostw.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\MSCTF.dll+f681|C:\Windows\System32\MSCTF.dll+fbf9|C:\Windows\System32\MSCTF.dll+105e3|C:\Windows\System32\MSCTF.dll+3d742|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.864{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=74621C6ABE4E9A568DF0A38E7282D71E,SHA256=0788A092D47800D0EB120A7DBB9E59234D0722A4A2E80ECE6CE70E3A84A3750A,IMPHASH=ADB9F71ACD4F7D3CF761AB6C59A7F1E5trueMicrosoft WindowsValid 734700x8000000000000000352623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.864{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=CA0121D9089BBFE1CB95A04E09E04C90,SHA256=B264FBE125E02FFBCDBBFF811B75B3ECEF31FD7762BD67BEE41492ED33CC146F,IMPHASH=EB898F83C3A5D6877A523BC64B41CB06trueMicrosoft WindowsValid 10341000x8000000000000000352622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.864{6820D070-4B7F-6323-9900-000000007502}29725260C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.864{6820D070-4B7F-6323-9900-000000007502}29725260C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.864{6820D070-4B7F-6323-9900-000000007502}29725260C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.864{6820D070-4B7F-6323-9900-000000007502}29725260C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.864{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.864{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.864{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.864{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.833{6820D070-4AD1-6323-1500-000000007502}12201384C:\Windows\system32\svchost.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\System32\svchost.exeC:\Windows\System32\deviceaccess.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Device Broker And Policy COM ServerMicrosoft® Windows® Operating SystemMicrosoft CorporationDeviceAccess.dllMD5=4C76812B58E0B647D28D6FCEFC6702AF,SHA256=76CF6D4562438A4F51D526C1A9962F7174490A553CC9897C9F60A96702EEB680,IMPHASH=1F40F992028A58CCA9DFDD62028D0D40trueMicrosoft WindowsValid 10341000x8000000000000000352612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.833{6820D070-4AD1-6323-1500-000000007502}12201256C:\Windows\system32\svchost.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.833{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000352610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.833{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000352609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.833{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000352608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.833{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000352607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.833{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000352606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.833{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000352605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.833{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000352604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.833{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000352603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.833{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 10341000x8000000000000000352602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.833{6820D070-4FC8-6323-7801-000000007502}102166736C:\Windows\system32\conhost.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000352600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000352599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 734700x8000000000000000352598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000352597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000352596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000352595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\System32\svchost.exeC:\Windows\System32\LocationFrameworkPS.dll10.0.14393.4169 (rs1_release.210107-1130)Windows Geolocation Framework PSMicrosoft® Windows® Operating SystemMicrosoft CorporationLocationFrameworkPS.dllMD5=9BA4CCDCED268D654794C53AD79F1402,SHA256=4778C3E478FC613C7B97FBCE5716F04F36CA665F643541841EB24A38B0AAB4A1,IMPHASH=BDE6E9F55B678D4E2440D9FA0C8B81FBtrueMicrosoft WindowsValid 734700x8000000000000000352593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000352592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000352591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000352590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000352589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\System32\cmd.exeC:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37AtrueMicrosoft WindowsValid 734700x8000000000000000352588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000352587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000352586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000352585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\ConhostV2.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=AF2A1A64E694FC8BF2BE884975815679,SHA256=D749115524D871CC1AEAC4B58F166319ADAA80D5AD14DD5CE468614B548A2F2D,IMPHASH=8186D8B119B7234AAF75B4C29E77630DtrueMicrosoft WindowsValid 734700x8000000000000000352584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 10341000x8000000000000000352583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000352582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000352581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000352580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\System32\conhost.exeC:\Windows\System32\conhost.exe10.0.14393.0 (rs1_release.160715-1616)Console Window HostMicrosoft® Windows® Operating SystemMicrosoft CorporationCONHOST.EXEMD5=D752C96401E2540A443C599154FC6FA9,SHA256=046F7A1B4DE67562547ED9A180A72F481FC41E803DE49A96D7D7C731964D53A0,IMPHASH=2C980A4DA7C717CC670CB9E1D2C4D733trueMicrosoft WindowsValid 734700x8000000000000000352578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\System32\cmd.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000352577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\System32\cmd.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000352576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.818{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\System32\cmd.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000352575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.815{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.815{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.815{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.799{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.799{6820D070-4B7C-6323-8800-000000007502}6281180C:\Windows\system32\csrss.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000352570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.799{6820D070-4B7F-6323-9900-000000007502}29726032C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+16e73b|C:\Windows\System32\windows.storage.dll+16e451|C:\Windows\System32\windows.storage.dll+16e09e|C:\Windows\System32\windows.storage.dll+16f340|C:\Windows\System32\windows.storage.dll+16ddee|C:\Windows\System32\windows.storage.dll+fce8d|C:\Windows\System32\windows.storage.dll+fd5cc|C:\Windows\System32\windows.storage.dll+20f440|C:\Windows\System32\windows.storage.dll+16650a|C:\Windows\System32\windows.storage.dll+166262|C:\Windows\System32\SHELL32.dll+9cafd|C:\Windows\System32\SHELL32.dll+9b696|C:\Windows\System32\SHELL32.dll+8dfa9|C:\Windows\System32\SHELL32.dll+cf48e|C:\Windows\System32\SHELL32.dll+16f9c0|C:\Windows\System32\SHELL32.dll+18377c|C:\Windows\System32\SHELL32.dll+19e928|C:\Windows\System32\SHELL32.dll+183916|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x8000000000000000352569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.810{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\explorer.exeC:\Windows\Explorer.EXE /NOUACCHECK 23542300x8000000000000000352568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.132{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=404F42A7170A9698DEC90EA37AC01817,SHA256=D3CC371FD4F85281B6741CA46C1E0ABF06F566EDC9985A9020970C0A01CE808F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191962Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.992{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191961Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.991{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4FC9-6323-2101-000000007602}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191960Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.991{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4FC9-6323-2101-000000007602}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191959Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.991{E743DC12-4FC9-6323-2101-000000007602}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000191958Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.558{E743DC12-4FC9-6323-2001-000000007602}47681612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191957Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.381{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4FC9-6323-2001-000000007602}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191956Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.381{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191955Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.381{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191954Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.381{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191953Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.381{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191952Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.381{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4FC9-6323-2001-000000007602}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191951Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.381{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4FC9-6323-2001-000000007602}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191950Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.384{E743DC12-4FC9-6323-2001-000000007602}4768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191949Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.303{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E09E9BC457311B08FAC40E238D9760C,SHA256=4C9710E50CEF478D4468E680063B5AD8CB04595B81D0CA1B111C6C79F3212B51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.882{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00B56BEFE5B52D0ED4F392BDC0886423,SHA256=B3ABE75070079CCDDCF9BFF7A0ACA838075338AF52C4FDED23CF7C94D83704C8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.651{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.651{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.651{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.651{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.650{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.650{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.642{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.642{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.642{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.641{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.641{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.641{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000352633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.249{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9FEAD1B052DF31080EAB217860F504B,SHA256=5FD25440D32E06C3E8961B43A6057A39EB7F3F7B5E00BD15113D15F0204782D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:09.249{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607E6DF8B1434CBF2EF67390E9FA9D35,SHA256=5198C92F0437CEC297355909373121F60B05AE3C9BFB02D7248266F38456EC08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191948Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.082{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=75861E946DC3D1E69660402201AF2C0D,SHA256=DF9C1B7139B2748F37F71FE22AA8DF8DFA10218B5718511F7EF8492899813A86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191947Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.029{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4FC8-6323-1F01-000000007602}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191946Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.029{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4FC8-6323-1F01-000000007602}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191945Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.029{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4FC8-6323-1F01-000000007602}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191944Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.029{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4FC8-6323-1F01-000000007602}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191943Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.029{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4FC8-6323-1F01-000000007602}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191942Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.029{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4FC8-6323-1F01-000000007602}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000191978Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:10.705{E743DC12-4FCA-6323-2201-000000007602}44324696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 354300x8000000000000000191977Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:08.443{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49943-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000191976Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:10.548{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4FCA-6323-2201-000000007602}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191975Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:10.548{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191974Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:10.548{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191973Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:10.548{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191972Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:10.548{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191971Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:10.548{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-4FCA-6323-2201-000000007602}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191970Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:10.548{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4FCA-6323-2201-000000007602}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191969Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:10.551{E743DC12-4FCA-6323-2201-000000007602}4432C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191968Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:10.404{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD0B2A25C31D4EB1E32B515B33EF43E3,SHA256=0F13B95A4360783674DBFDB97F85AC0EDDFADA221580ED7F5F0D23C46891CB65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000352648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:08.368{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63634-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000352647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:10.303{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7CFA5B4C2F5EF268AAA6675A6DAB714,SHA256=2B2592104A313B1474F7D6B350AED19C5F604E7DE8149920ECADBF955220234E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191967Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:10.170{E743DC12-4FC9-6323-2101-000000007602}46124416C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191966Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.998{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4FC9-6323-2101-000000007602}4612C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191965Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.994{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191964Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.994{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191963Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:09.994{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000191988Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:11.674{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=CAD3925D41FCD9E596390D9EB8C2945F,SHA256=B396F2BCCF53D9185491FA2349AD0D3FB5BEBA7ED5AFD6428C6025ADDE720C78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191987Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:11.502{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75AAE25134992E4C9C30F803FFEF40B5,SHA256=55EB3677E05D1B228F3C435F22B52A23DDF1486B267049BF2F99C1E44E7812A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:11.726{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:11.724{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=3554A5A0C5FBB1B3D1E91870A398C5A9,SHA256=F33B84CD60A5CD30795DFFCF39162104A811C92AA1D710EB6F1AA3DCA555D57C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:11.340{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3631CBC7251B7A97874C76E36163DA9,SHA256=266DE5BB774B1D882B9C374389C2BCD0CD4BFF25EEA8FA5A7A7A9A1B341BB9EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000191986Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:11.167{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-4FCB-6323-2301-000000007602}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191985Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:11.167{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191984Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:11.167{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191983Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:11.167{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191982Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:11.167{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000191981Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:11.167{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-4FCB-6323-2301-000000007602}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000191980Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:11.167{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-4FCB-6323-2301-000000007602}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000191979Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:11.168{E743DC12-4FCB-6323-2301-000000007602}2972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000191989Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:12.588{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1C19992DE8024BB9875FD91ED9941D,SHA256=FAC351A6BAF148812454A8D074F64189D8DCDDBBE22C32B1E6DAF0CA65AA95E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:12.408{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5023D80619BE9945D957950F1FD39FE0,SHA256=3EAD1DDA44C5F973AA59BD96C5CF0067C4098AF0EC7AC7F51EC4FC8ACB26382C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191990Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:13.800{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D48C398A78A0B0395C4FB481E2F735C2,SHA256=F589DE0E12B686D14A91477D6793ED12248ABF1F3D4DC5AE9B2DF353A1597AAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:13.475{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F117CF1A8C868ACAE46B7603F3957ABD,SHA256=6C5BC5126E85BFFE58A66CA7CE9D759DFF87343920AAE452EFDB9836AC65A891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191991Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:14.894{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=174A4EFBC1D0504F454A471A3FBB4E7C,SHA256=60869C668E651AE95322E4BE4744EAE5941D725932E58BD74002B2CA91AE8001,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:14.528{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BC03AA15FDA32B9C38B04D4CF8527AE,SHA256=A2AEACD90A133B877B25D732B7C548534FF2D0E431336E8EB08CD4FB8D5EAB4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:15.681{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=748FA4D3FE6E0D2200B6B47183F421CE,SHA256=7C41A85E0B5BF32104BB666494C69BD82DF8AB5A28ABB5EA7B7ADC2D913A502F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000352657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:14.266{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63635-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000352656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:16.751{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82F8CA96EFB5ACFFB4286CC32D8F8874,SHA256=472100C1C2E519F24E479EA3EE1E2CAC0558F740C73F0CFC6066D079C5C6D069,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000191993Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:14.286{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49944-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191992Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:16.095{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=863C8D988C8E47A7F9F905D4753A2AA1,SHA256=56F51F8BFF6769185ACBC9C74F3155640347F280BDD68F5B6E1509C1305FC3CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:17.836{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53A328D4E0061E8721D8FA9BD61F11F2,SHA256=D00EE3BA99C9B8B2D17C083B01CA66352F7C122BB081F13F36F4B1C2FFE89150,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191994Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:17.191{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30FF3BA21C06B870534DCBBE4F4A103A,SHA256=DEC2FCA82D067D089F3353F55F0BF3AC8F996882EBC26F181CE6B5DC01925835,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:18.908{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C140EF904F1402A7E8E2AD6C81833864,SHA256=D4AC70559D0DD210CF9DFA0C79C6E984C9C112587F1F6E6419C87F10193DACBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191995Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:18.394{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CCB762A20E882B4EF1250B344516D6A,SHA256=EFF67E05DA12459967C20300749F69A618840B1E431F45B62457CDDB465342A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191996Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:19.599{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932A321EE86E6C267B7F111FC9ABB9C7,SHA256=8A0376FBCCE429B72EADAF7A5A46E959ACB53490C94C0FA12E7D1346320B3D0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.875{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.875{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.874{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.873{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\system32\DllHost.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.873{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.873{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.496{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.487{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.480{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.475{6820D070-4B7F-6323-9900-000000007502}29726032C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000352707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.473{6820D070-4B7F-6323-9900-000000007502}29726032C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x8000000000000000352706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.466{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.451{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.446{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.444{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.442{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.431{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.393{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.381{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.374{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.353{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 734700x8000000000000000352696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.334{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\propsys.dll7.0.14393.4169 (rs1_release.210107-1130)Microsoft Property SystemWindows® SearchMicrosoft Corporationpropsys.dllMD5=013D2BA96C261CDC62ECA7365E1C84D5,SHA256=26896478B6F1AF3756D5B1BB59BF2C6BE1C579B122CC882BAC35FEFB3EC3EE36,IMPHASH=FF25576501EAFD13671A6D5075C4513EtrueMicrosoft WindowsValid 10341000x8000000000000000352695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.341{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 734700x8000000000000000352694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.335{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000352693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.335{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000352692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.332{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000352691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.332{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\thumbcache.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Thumbnail CacheMicrosoft® Windows® Operating SystemMicrosoft Corporationthumbcache.dllMD5=915850DD84E156381392FC43ECDF37C0,SHA256=03E2C6D75BCC4FE599C40C4929E2877543EE625494BAC86D988AD23A0439468A,IMPHASH=428FE673E24F7848BECF2BA2271A839AtrueMicrosoft WindowsValid 10341000x8000000000000000352690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.325{6820D070-4AD1-6323-1500-000000007502}12201384C:\Windows\system32\svchost.exe{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.325{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.325{6820D070-4AD1-6323-1500-000000007502}12201256C:\Windows\system32\svchost.exe{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.325{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=43AEE61AFABE70BFC876CC53D6A64E04,SHA256=8A4C893AEB075D3D9EFEC52E49CEF94471EB9F0A91BEB4C07DF38F8A48910C12,IMPHASH=67E6A4C8E164C0229E3FF1626F1894C6trueMicrosoft WindowsValid 734700x8000000000000000352686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.325{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000352685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.325{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000352684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.317{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000352683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.324{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000352682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.324{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.322{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000352680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.319{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 10341000x8000000000000000352679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.318{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.314{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000352677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.313{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000352676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.308{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000352675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.308{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000352674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.307{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000352673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.307{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 10341000x8000000000000000352672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.306{6820D070-4B7C-6323-8800-000000007502}628648C:\Windows\system32\csrss.exe{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5179f 734700x8000000000000000352671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.306{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000352670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.305{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000352669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.305{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.303{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\System32\dllhost.exeC:\Windows\System32\dllhost.exe10.0.14393.0 (rs1_release.160715-1616)COM SurrogateMicrosoft® Windows® Operating SystemMicrosoft Corporationdllhost.exeMD5=DA63852A2B0340E94D74EAF0CD444979,SHA256=EE8364C07B3F4F71FA649E0E6C4C73C15D285130E4B16E79890EEBBF89C2164E,IMPHASH=1C99A7F1249FB0C7B924253B69E59F88trueMicrosoft WindowsValid 10341000x8000000000000000352667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.301{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000352666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.300{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4FD3-6323-7901-000000007502}5308C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6f523|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+25b49|c:\windows\system32\rpcss.dll+40b02|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.299{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.280{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.246{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.235{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.169{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000352660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.163{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 23542300x8000000000000000191998Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:20.885{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000191997Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:20.807{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263F8215E65EFE6CB37F973116AF6FDD,SHA256=1B201EBA7283DC1032248B098CD50C115F239BA42DE6528A75EBD76235085C5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.490{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.490{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.490{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.490{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.474{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.474{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.474{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000352724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.389{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8CFE97406F2A32AE0E9604C46E8399F,SHA256=7C27F60BD4E32BD86AA3CCD10B65B28EB8AC424EE8C4488ED3F562A7F87747B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.104{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C036E7F8DE91CCA027FB2668E7E88E4,SHA256=CE3B62ED5B210EECB451BC4753492F95D4C595C6D5E796EFE25479463C3753EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.006{6820D070-4B7F-6323-9900-000000007502}29726032C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000352721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.005{6820D070-4B7F-6323-9900-000000007502}29726032C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8e5d|C:\Windows\System32\SHELL32.dll+28397e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000352720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.005{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:20.004{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:19.999{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 354300x8000000000000000192000Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:19.473{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49945-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000191999Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:21.895{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BEAB77377757931998EDB41D269A18E,SHA256=CA86BC4871BF7F5E2954B5374652F2874038DC5976E8F06EC6E16B9708BE7E2A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000352806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.826{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 734700x8000000000000000352805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.793{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\msxml6.dll6.30.14393.5291MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=A362CCDBE82A110E864A59410B1C450F,SHA256=D05D510E37824ADF4917CA1F5BCD4F19F48B9664B2188C2CAD14481B6F7E0CC9,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 734700x8000000000000000352804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.744{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 13241300x8000000000000000352803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:16:21.844{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=9738ADDC8AEDB939A39026E254601718511C31C6D5D23AB2B4390392AAA92060 13241300x8000000000000000352802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:16:21.844{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 734700x8000000000000000352801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.744{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000352800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.744{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 16341600x8000000000000000352799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local2022-09-15 16:16:21.844C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=9738ADDC8AEDB939A39026E254601718511C31C6D5D23AB2B4390392AAA92060 13241300x8000000000000000352798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:16:21.844{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000352797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:16:21.826{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000352796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:16:21.826{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000352795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:16:21.826{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000352794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:16:21.826{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000352793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-DeleteValue2022-09-15 16:16:21.826{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000352792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-DeleteValue2022-09-15 16:16:21.826{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000352791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-DeleteValue2022-09-15 16:16:21.826{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000352790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-DeleteValue2022-09-15 16:16:21.826{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x8000000000000000352789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-DeleteValue2022-09-15 16:16:21.826{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x8000000000000000352788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.826{6820D070-4ACF-6323-0B00-000000007502}620660C:\Windows\system32\lsass.exe{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x8000000000000000352786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x8000000000000000352785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\mintdh.dll10.0.14393.0 (rs1_release.160715-1616)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmintdh.dllMD5=32254E75260F1CAE3AB9EAC044B344B7,SHA256=B714E3CDEB23E63894D62E9335F51E301A9093F263623CCEFA2F674AABE7D629,IMPHASH=92D4FBE8F70FD95D329EA4882A8C3278trueMicrosoft WindowsValid 734700x8000000000000000352784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.759{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000352783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.759{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000352782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.744{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000352781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.744{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000352780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.724{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\tdh.dll10.0.14393.5125 (rs1_release.220429-1732)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationtdh.dllMD5=6F455C95F294B3A3E34102BEF294D45C,SHA256=2182F234811B1DF1A366AE925A8167C0BC519AEBAF55A92887E36651EBA7E347,IMPHASH=E0A9B1840595F8507313FB797C5187E6trueMicrosoft WindowsValid 734700x8000000000000000352779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.722{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x8000000000000000352778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000352777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000352776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000352775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000352774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000352773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000352772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-MD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7AtrueMicrosoft CorporationValid 734700x8000000000000000352771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000352770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000352769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000352768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000352767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.725{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000352766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.723{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.723{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000352764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.722{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000352763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.722{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x8000000000000000352762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.722{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000352761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000352760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000352759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000352758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000352757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000352756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000352755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000352754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000352753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000352752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000352751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000352750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FC8-6323-7801-000000007502}102166736C:\Windows\system32\conhost.exe{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000352748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000352747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000352746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4B7C-6323-8800-000000007502}628648C:\Windows\system32\csrss.exe{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000352743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.706{6820D070-4FC8-6323-7701-000000007502}80248124C:\Windows\system32\cmd.exe{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000352740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.676{6820D070-4FD5-6323-7A01-000000007502}9748C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 734700x8000000000000000352739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.631{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000352738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.631{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000352737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.630{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000352736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.626{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000352735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.626{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000352734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.626{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000352733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.624{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000352732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:21.125{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64EF719BD4FF538F0899FECA80EB524C,SHA256=15C70AAADA89BA7A96A3B8F9DCCED794E22E13ED125F53A351A480DF8541467A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.998{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=517C2FA3B251FB69B4025C9241C65F83,SHA256=804EB5595442A38ABD5B5FB4EFE9222FD2C1F88DED9834465AE6CBEA0CADB0AD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.790{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.789{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.773{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.770{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.767{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.765{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.762{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.757{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.754{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.752{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.749{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.745{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.743{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.735{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.703{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.690{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.670{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.607{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.601{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.590{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.579{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.574{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.571{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.566{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.561{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.557{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.549{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.548{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.546{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.545{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 23542300x8000000000000000352814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.162{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68394CE9B7A37AA2CF1CD6D4EE4748C6,SHA256=2D40ECAA83A67C470BB7A971BC81F49645F3F67559FD802A7D183AF28E2B40BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.051{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C255A54AF0CF9D052648DD60BCD33D0E,SHA256=7DB5CC06F87375F26EB6A8CE98EA2DF55F0753B327304ADC200D27E7EB0E0E1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000352812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.042{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.041{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.036{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.034{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.032{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000352807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:22.027{6820D070-4ADF-6323-2A00-000000007502}26163548C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013200190) 10341000x8000000000000000192010Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:23.988{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192009Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:23.977{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192008Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:23.971{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192007Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:23.962{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192006Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:23.954{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192005Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:23.945{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192004Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:23.938{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192003Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:23.935{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 23542300x8000000000000000192002Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:23.082{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168524D1FA4809E028EA0F20E1E0F63A,SHA256=467D5C317EA04452DB3CC84F01CA194FD371E350524E7E88082007D3E1E17C9D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192001Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:20.103{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49946-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 23542300x8000000000000000352898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.980{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000352897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.712{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000352896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.712{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000352895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.712{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000352894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.530{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000352893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.530{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000352892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.530{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000352891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.530{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000352890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.529{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000352889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.528{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000352888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.527{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000352887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.527{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000352886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000352885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000352884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000352883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000352882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000352881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000352880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000352879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000352877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000352876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000352875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000352874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000352873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000352872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000352871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000352870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000352869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000352868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000352867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000352866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000352865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000352864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000352863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000352862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000352861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000352860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000352859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000352858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000352856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000352855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000352853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000352848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.510{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000352847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.511{6820D070-4FD7-6323-7B01-000000007502}7172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000352846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.229{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDFFFD9B3D84AF228259D101F2EFB582,SHA256=C3127ECA322A54D9105E274A1F4F33024A65CC00A35A3D34F1714D2D97F3FD19,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.881{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000353015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.881{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000353014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.881{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000353013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.711{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000353012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.711{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000353011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.711{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000353010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.711{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000353009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.696{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000353008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.696{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000353007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.696{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000353006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.696{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000353005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.696{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000353004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.696{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000353003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.696{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000353002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000353001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000353000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000352999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000352998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000352997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000352996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000352995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000352994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000352993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000352992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000352991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000352990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000352989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000352988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000352987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000352985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000352984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000352983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000352982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000352981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000352980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000352979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000352978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000352977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000352976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000352975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000352974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000352973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000352971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000352970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000352968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000352963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.680{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000352962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.681{6820D070-4FD8-6323-7D01-000000007502}8668C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000352961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.431{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000352960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.431{6820D070-4FD8-6323-7C01-000000007502}71767192C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.431{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000352958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.431{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000352957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.330{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=499CDEB6EA621655E63AD76B84D3E694,SHA256=3804789BF9AEDA2758B62D1EE826212190145BDC3F7C43727E0E090896591109,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000352956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.329{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=365BAB9D7F872C24BB1DD011F69023DB,SHA256=71DE6D6BB1241BE09037F439373C3440646E48ECA597BB8FEB94DBDC6AE9E2C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192039Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.186{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192038Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.175{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192037Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.151{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192036Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.145{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192035Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.132{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192034Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.127{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192033Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.126{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192032Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.123{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192031Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.121{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192030Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.119{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192029Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.116{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192028Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.115{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192027Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.113{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192026Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.112{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192025Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.111{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192024Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.109{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192023Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.106{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192022Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.102{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192021Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.099{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192020Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.097{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192019Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.088{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192018Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.079{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192017Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.060{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 23542300x8000000000000000192016Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.058{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256918E9B0A706CD37692E686D9FA524,SHA256=D71568A7229E38622700DDED5132E0198C8AA0A81EDD87EADE5307B287E78051,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192015Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.055{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192014Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.045{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192013Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.017{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192012Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:24.010{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 10341000x8000000000000000192011Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:23.999{E743DC12-4AD0-6323-1D00-000000007602}19443288C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000016C8E190) 734700x8000000000000000352955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.230{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000352954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.230{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000352953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.230{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000352952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.230{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000352951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.230{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000352950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.230{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000352949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.230{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000352948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.230{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000352947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.209{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000352946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.209{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000352945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.209{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000352944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000352943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000352942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000352941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000352940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000352939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000352938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000352936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000352935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000352934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000352933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000352932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000352931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000352930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000352929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000352928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000352927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000352926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000352925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000352924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000352923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000352922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000352921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000352920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000352919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000352918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000352917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000352916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.194{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000352915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.191{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.191{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.191{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.191{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000352911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.191{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000352910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.191{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000352909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.192{6820D070-4FD8-6323-7C01-000000007502}7176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000352908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.059{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0A00-000000007502}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.059{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0A00-000000007502}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.059{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0A00-000000007502}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.059{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0A00-000000007502}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.055{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.055{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.055{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0A00-000000007502}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.055{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0A00-000000007502}612C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.052{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000352899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:24.052{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000192040Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:25.129{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B76C98248BF99C25AF240848096137,SHA256=A467A14E3F0CDBC26D378B957F20EC68454EF025D83A6E2AF2FFC4A1AADB9918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.822{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49831455D55EE763D5E6F70CE290F275,SHA256=AC463F03501B685D47356745B397446A31B0C6CDEB6CAE58DA21D84BEE818370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.790{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3524FA71BB1AC6BE7B49B7AE3FFB36DD,SHA256=9CECF2B2D37D7A01D3F459E21B2656683DF9351C38B404AA645F7D5FAB9EEEBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.642{6820D070-4FD9-6323-7E01-000000007502}96729664C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.642{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000353066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.641{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 354300x8000000000000000353065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:23.151{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63637-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 734700x8000000000000000353064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.397{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000353063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.381{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000353062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.381{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000353061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.381{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000353060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.381{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000353059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.381{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000353058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.381{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000353057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.381{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000353056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.381{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000353055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000353054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000353053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000353052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000353051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000353050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000353049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000353048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000353047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000353046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000353045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000353044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000353043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000353042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000353041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000353040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000353039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000353038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000353037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000353036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000353035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000353034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000353033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000353032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000353031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000353030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000353028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000353026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000353025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000353024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000353021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000353018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000353017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.366{6820D070-4FD9-6323-7E01-000000007502}9672C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192041Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:26.224{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0335B7F2FA4C8A69A28A03B7AD44037B,SHA256=B08D0307C0326618CE370A146E800169A34F4FBABC666A1388A41A086BE66E4A,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.925{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000353174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.925{6820D070-4FDA-6323-8001-000000007502}82928244C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.925{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000353172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.925{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000353171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.723{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000353170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.723{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000353169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.723{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000353168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.723{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000353167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.723{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000353166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.723{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000353165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.723{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000353164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.723{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000353163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000353162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000353161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000353160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000353159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000353158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000353157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000353156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000353154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000353153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000353152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000353151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000353150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000353149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000353148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000353147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000353146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000353145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000353144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000353143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000353142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000353141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000353140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000353139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000353138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000353137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000353136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000353135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000353133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000353132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000353130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000353125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000353124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.708{6820D070-4FDA-6323-8001-000000007502}8292C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000353123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.455{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADED8A5F59A59DECDEDA4D699FE2ABE8,SHA256=D44FA9A7463EE0E7849C28C21F8D1D8FA85B15CDE289135BBEB23923F096CBE8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.204{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000353121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.204{6820D070-4FDA-6323-7F01-000000007502}97209652C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.204{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000353119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.204{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000353118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.156{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFF2DD9CDE0DD693B18B8CD0D63CC10,SHA256=1E3A4AE0BDC7D858328777BF73FA6DA82504C82BEB5DB8F737D576202F696159,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.046{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000353116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.046{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000353115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.045{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000353114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.044{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000353113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.043{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000353112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.042{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000353111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.042{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000353110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.040{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000353109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.034{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000353108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.034{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000353107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.033{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000353106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.033{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000353105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.032{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000353104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.030{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000353103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.030{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000353102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.030{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000353101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.029{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.029{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000353099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.029{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000353098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.029{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000353097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.029{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000353096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.029{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000353095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.029{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000353094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.029{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000353093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.029{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000353092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.028{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000353091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.028{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000353090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.028{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000353089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.028{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000353088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.028{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000353087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.028{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000353086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.028{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000353085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.028{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000353084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.027{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000353083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.027{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000353082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.026{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.025{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000353080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.025{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000353079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.024{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.024{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000353077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.024{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.024{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.023{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.023{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.023{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000353072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.023{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000353071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:26.023{6820D070-4FDA-6323-7F01-000000007502}9720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192068Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.435{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4700A552CF8A9B37F91BFF20F34980C,SHA256=B22E0727E3EAAD464945CD61FE9D285064E81F21A6D09261AD5771B2B3104206,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.665{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000353228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.663{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000353227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.662{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000353226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.560{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA410DF7990B23DA9A18F4227702C0A,SHA256=4EB793DF75B5EE1BC8F60D99035A39A887AD3A1533D1D4606DE9E37FEC31CD76,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000353225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.290{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63638-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000192067Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192066Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192065Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192064Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192063Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192062Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192061Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192060Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192059Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192058Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192057Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192056Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192055Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192054Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192053Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192052Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192051Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192050Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192049Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192048Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192047Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192046Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192045Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192044Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192043Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192042Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:27.310{E743DC12-4AD0-6323-0D00-000000007602}788808C:\Windows\system32\svchost.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.426{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000353223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.426{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000353222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.426{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000353221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.426{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000353220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.411{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000353219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.411{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000353218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.411{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000353217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.395{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000353216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.395{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000353215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.395{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000353214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.395{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000353213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.395{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000353212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.395{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000353211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.395{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000353210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.395{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000353209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.395{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000353208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.395{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000353207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.395{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000353206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000353205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000353204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000353203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000353202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000353201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000353200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000353199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000353198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000353197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000353196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000353195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000353194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000353193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000353192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000353191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000353190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000353188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000353186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000353185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000353184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000353181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.380{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000353178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.377{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000353177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.378{6820D070-4FDB-6323-8101-000000007502}8336C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000353176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:27.342{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=A6454C311379EE962D2FCEC0956D32B7,SHA256=EAA155EFC3417DBCDB02063D0BC225B88200CFF2AEDE488200F8A911D6F57233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192070Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:28.541{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FCED367C970AE1D594C7D9A058CCD5D,SHA256=3E3A9DB56E0E69852ED987510270B9D0B66793EA7D19A6F95865A6E7D9823D91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:28.689{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=768A7B22015593747C89B9039C599267,SHA256=EAF27D6A200A4690FA77721B96B66C12C2AB263458777DEAD51BE9A02B735C22,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192069Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:25.473{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49947-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000353231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.879{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63639-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000353230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:25.879{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63639-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000192071Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:29.638{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCAD773C4572566BF601A5CE9C2951C4,SHA256=BD92E948AE5EC5FF7B0AA14252A38C7B641423DC2C3C8C5B33916F979D6E3044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:29.725{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95DD4B9ECA5A19307E840F6CF03E7EF6,SHA256=FD3066D72D4978F9B07229CF0524893FC8A6C36222040661E4CBD1EEFC2DBE84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192073Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:30.734{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E98ABB8866A7F62C941DB306255528,SHA256=0EBA042FA670FEFF39353D3B5522703FF756C194FBF51D0558FDF07CC29CB65D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:30.812{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:30.812{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:30.812{6820D070-4B7F-6323-9900-000000007502}29725508C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:30.812{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:30.812{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:30.812{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:30.812{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000353234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:30.759{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA880B6824A31B96DEA7202A6BAD9EF9,SHA256=0CBDCC2367EC8E341F0ADCA604C29F6AEC69D583527D8BFF27B1E11BDF41B681,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192072Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:30.625{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915155459-020MD5=36EB26F9EED14D2A649109B5B0D3FC1A,SHA256=D5225DBB467937E991D5678F78067E4612BF477D9EC2143F1C43E71004CE921E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192075Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:31.841{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E87ED4FB4D4FFFE23547510D2B1F7A63,SHA256=DF807CB4C80267011FEFCE159018E713185853070C7102004738891981144940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:31.897{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF16F52B788584894E1EEEACFCF70C02,SHA256=5E5D5875AEDCCF82A59D04FE62B96CA8FF567D24AF405BB700EFA94BAC7BC029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192074Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:31.638{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915155457-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192076Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:32.950{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0F52FFEE81A58ECFE1B785436F4A3A7,SHA256=EDFDD5EA0E92B954CC15EE2C0E550676D146DAD478606082BDA28F8646AD23AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:32.948{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECED2C4ED5920DD21AADE382CA46681,SHA256=4512D9ECE04728804C387D6233EDD5B33AE8D68CB38BFD0B366A671FED557BCE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000353243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:30.369{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63640-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000353245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:33.981{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBEDB7CE3B41A43717B9F2F8478D71DC,SHA256=8BC42E9662AEA06993911AA9526E7FE44838BF7C535C9D639061EE1400965A07,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192078Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:31.414{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49948-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192077Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:34.037{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=079F8313EBB9A4B89F5A1EB6B8143E15,SHA256=2528617BBD6C0A3F22656C7EE5701A73A569E7DF1D6984075D24C27D2742EAB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:34.651{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192079Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:35.117{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70156BDEF66A17B917C535D532E4073C,SHA256=7033C4F046DE27C26FCAF74196121FA52684E264C94676EFA2FEFF1528CA3BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:35.083{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD62BF90B6054B7A5B95B73F8A955347,SHA256=D88219D5237C5FEEEE2D1E8DD8022715297CEE822784AE46124AA549D6E5B71C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192080Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:36.333{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5961FF3FC64C3F9D322E211D2AF7283C,SHA256=53BAA4458C78889375D24F8F3A22DCB232EC00E1D96EF1B295E42A83686C72B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:36.139{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=515D77FFFAC6C581564C27C7B2DF1577,SHA256=B1D5ED91BA1C4D05E68492C9811AEAE1A218DD6BFE66036932CDFF21FE98A3AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192081Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:37.425{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D17D9F3DEE5AA014FD400387C5F7395,SHA256=E222CF6323E8926CBE6BA51F3A0AF627449CD5EE956441E5AC6F8ACF2AE80AA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:37.208{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E2C3829CCD932F2913EB673D10F424,SHA256=60B7B84385C43DBF7C421DC721097DBA1EA52F5C11F3C8D90DE330745BC3831C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192082Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:38.529{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C81054101D95992C5F158A43E11E16C,SHA256=5DE383260C36F909421E28A213DDDFEF37D645DE801118E1CA11751E4B1B433D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000353251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:36.276{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63641-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000353250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:38.309{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A826E853A7B41FAFFD8D241772BED247,SHA256=8AC98D00A565294B9EA894105AB58DBB44C1678C8C4B17F2562C381DDA4183AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192084Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:39.622{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62D920A1B4DDE9B125DD528189D82445,SHA256=0F810676D56607D50C064F1BF5BC72F190F822B9FE32FF5B47112F2A5F7D1908,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.503{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.489{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.482{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.462{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.446{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.443{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.441{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.438{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.418{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.367{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.359{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000353262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.356{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19E0BD49A3515B6CDA4D19C839005731,SHA256=BBF5D8C3271F076B002227B4C00ECE50107A86D9C980DA315CE96DA29A8A443F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.337{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.314{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 354300x8000000000000000192083Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:37.432{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49949-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000353259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.298{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.285{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.264{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.247{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.236{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.226{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.185{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:39.182{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000192085Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:40.706{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F193AC713A119F7C979BF7D0315B65B9,SHA256=3AA09D89C08108DB7A61EF01124100AA59622102D624FE9B7DB2B2F5899DFC79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:40.383{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F4240C71A0B0E46474ED87EC4A1A241,SHA256=8CFD26A42A6C9884C3348F81952A11924BB0B6667BE45F908DF158FD2828E98A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:40.061{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:40.059{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:40.055{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000192087Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:41.804{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=BE73897B8EA6397A1F70307DECB2BB31,SHA256=8FA22C7AC2EE60EA0C454CC1FB4C5F0A0512CDFE354CC11F3842137C497FED47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192086Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:41.804{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43379658E0B2324D461824C949B9DFE7,SHA256=59FB7F5FDAF723CBA23CEC1FB05FE0C6A4E25E3D70946719DFDA26F6AA5611BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:41.420{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B899FC697ACC4832CCEEBE67CA7668B2,SHA256=CB0524EE19D78DDF9D1DD39245C80104767BC2B1589B6D8A86A153F43BCA7BA5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.821{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.820{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.805{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.803{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.800{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.793{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.790{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.787{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.784{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.783{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.777{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.772{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.770{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.763{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.739{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.728{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.713{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.654{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.646{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.631{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.625{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.623{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.621{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.615{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.613{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.611{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.606{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.606{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.603{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.603{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000353285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.491{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12694B2CFD854B3F9BA816D4222A6275,SHA256=DF2827802F5CB16437AC170E9772F4507AC55AB4FF875B438190F696C1AC675A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.087{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.086{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.080{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.078{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.074{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:42.070{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000353317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:43.989{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCE00FAAB3F4C54E8A57804A390B68B2,SHA256=4283A338F41AAC468277C3B29759447151577EDB975FDF46773016C0F151D552,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000353316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:41.341{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63642-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000192097Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:43.991{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192096Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:43.982{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192095Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:43.964{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192094Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:43.959{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192093Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:43.952{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192092Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:43.945{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192091Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:43.937{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192090Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:43.931{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192089Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:43.928{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000192088Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:43.003{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0432D70A0F70439D734FE53254E9F65C,SHA256=C479FA0C21C7E663D648757964DEC8FBD547FF434D8D3432175FC8AC26379D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:44.806{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2A59DBD562FD4A26E732FCB8B3A7EDC,SHA256=4AFC9E1DD4A89F7057626603F663F84260D1361E943F2E915C2FF716B8F4B579,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192125Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.149{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192124Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.140{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192123Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.121{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192122Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.116{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192121Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.109{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192120Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.105{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192119Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.104{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192118Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.100{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192117Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.099{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192116Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.097{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192115Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.094{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192114Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.093{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192113Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.091{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192112Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.090{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192111Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.089{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192110Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.088{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192109Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.085{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000192108Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.082{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B4C3361BB9570A335AAF83262ACEE41,SHA256=865797897DD4571C05DF5BA98656F3C229972716C5F40E7C7497CAC6CA254E38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192107Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.081{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192106Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.076{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192105Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.074{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192104Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.067{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192103Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.060{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192102Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.046{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192101Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.043{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192100Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.034{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192099Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.007{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192098Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:44.001{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000353320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:45.877{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B68B1FF2DFC083A1E056F16B9E1C45,SHA256=3468228F57F56B73D456147046F36A5959CBE3F93BC517163B20C607FD0EADFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192126Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:45.171{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57E2EDF01120C6B005276E0DB12032F9,SHA256=6FC8E22C924107AC38C9DEEEEF9C6F69BEE21934C678497659FEB6AFF7A6D58E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:45.365{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915155514-020MD5=3EE9864ACDFFE78A8B2E0DEDF704C720,SHA256=3E9075B80C33CFA58EAF977E4450D367AD693E429428DFB55B91DE7FD240E49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:46.978{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=875C443C83FF0F77D1454FD8A991FAF3,SHA256=471AE99379207D736631D54C22D638E3F9E8D634E73B8CAF8C1D7F4A1AAEF67A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192128Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:43.278{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49950-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192127Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:46.281{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C745852D53996C9C3B33A95932889B2D,SHA256=9157555F3E0660286521549B875D717348976EB8116942FC1886B455632C4BA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:46.364{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915155511-021MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192129Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:47.383{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20739339F285EED6889B3EBECBD4DA24,SHA256=952749BC3AF9857F1720B54DC8ED6FA4523E7488168F544FAF1B9C32AAE9B792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192130Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:48.495{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48042ABF45028B0C96407F227EB9B974,SHA256=F0AEC3A40841F7BC67CD106D92BF5153C94680316E8EDC5F5C3666B3411AD184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:48.030{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932B3061BA7DA6240412030AAA73F241,SHA256=32D9F926A021670FB83E29F995BE9603B540AFDC5078B7448F0B368107C15B7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192131Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:49.589{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAFB2E274720A40BD02DA36A8164B32E,SHA256=BCE42EADB5AF4D80C32CEBB5242F4DBA536050EB38DC124C8F7059F70F77C973,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000353325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:47.252{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63643-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000353324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:49.068{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB2E1D727D0BCCE572250E6B7327313B,SHA256=6C14465577905A8ED3A063EAD045D71C17A5B2570574720F58B860C5CC828AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192133Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:50.679{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B715B0309CC409A086A41CCDF63C99F,SHA256=FCE3092413B587CD6B6CC97C5F81D204EA21C39BAE157D2147E2D5558ADE38C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:50.135{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A68E61C12A6BB050F0AC73D8194C63,SHA256=B205285E226A257A704861A4720EF7F47EB8A9A340A61003DBB088EE6825FE95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192132Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:48.458{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49951-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192134Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:51.774{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4004DCA591EDF1D0AA39E1929BCEA12,SHA256=7D7D09F929E9C0C7DFBE653E9FB48AF182FC324CD85D0EA8C7ED68296E6F0223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:51.252{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F1611F6C2A5B65A6BF1F8EA6C2199A,SHA256=2F50C2D15117FC24813DB984188A1DD0D2121433DC035F4027D029AFAF87BD2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192135Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:52.965{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=794CCF08772C6DCEA274A6D55EB81CBD,SHA256=14C738C8F14984C815AB7456AA31B0E781F58977131EE6CB87CE57FC4FCFB21A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:52.339{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FA1A3851B7270B14627CAB25A452FC3,SHA256=D07443AC04C5A61C75AF871FB3A8D439427359B56267A4439EBCE86CE3D06978,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:53.407{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF9F89D55BB35B6A793ABBF858F67F6,SHA256=E918ADDE9F040F3499B03DEEB27C141DE1569B9D3147E2C8BC9176FFD6687E61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:54.462{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08853329A261F31657AF138836D8757A,SHA256=9AC29617C3DA5EFE5CCC8415202B67296BA2A2EBC2A6779DF6FF8A40C0870C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192136Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:54.062{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FBC5542B48655F11327B2052AA27D7E,SHA256=03ED972733CEFE57318181840C289C66E55A0D7BC324B9991FEBFD79FDA09226,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000353335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:53.264{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63644-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000353334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:55.828{6820D070-4DB7-6323-0A01-000000007502}6624ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2022-09-15_161655MD5=B9BAF78D583CD118E6FFC9FEB55333E7,SHA256=4AF63321DC4A8ED4BE78C257929EA25332B3DDE938582BAA1C110BDBD016760B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:55.813{6820D070-4DB7-6323-0A01-000000007502}6624ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=3709639A4445928AEEC369E8CD24CA32,SHA256=9738ADDC8AEDB939A39026E254601718511C31C6D5D23AB2B4390392AAA92060,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:55.512{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=247CE62A2D0E2B3074DAB6F18FC4B260,SHA256=0B143B54F3E31EA3E23812A50B93BDA0F537886A30B0242E26843962AD542317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192137Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:55.166{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E15B96A6D82DCDBEE2508260D06252,SHA256=5ED5906F4A52D3F7A29835B16A40EAEC3743B60F4CA2925154EACC9C99CEEEC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:55.127{6820D070-4DB7-6323-0A01-000000007502}6624ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=CD1784A92E3DDF552D5C0F6ECA60A735,SHA256=DBA6AD19E46237F1BBE58BDB79E471798831A2B671515CA90CFD06BF088A0659,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192139Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:54.462{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49952-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192138Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:56.260{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86733FFEEF68F0DE49B726BF01CA5043,SHA256=4B3FB881C0AD91A8CC5549993A154E14D67621C554A5C7B0EA0D10402E8C74AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:56.716{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=C5195E9F1AA15377CE504FF2618449CD,SHA256=0BC84D2775C64FB51FD75E9CDCD9DA2377BC28C96B21C5DF6A764E2DF7479015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:56.584{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3573637BCDB11469E9192B8E01E7D46,SHA256=184EDB2CAAB089927C3FA986D5B6612F0BBD72E4A9384313535A7E24F1B8ECF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192141Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:57.463{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1DE9829DCDBF9B15417F1892ACA0BD7,SHA256=EBEB2A7EA9BED81C0A46A5B5E636E6043ACB04F814671CEE21C1FB7F5B2FB515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192140Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:57.431{E743DC12-4AD0-6323-1100-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D16439E362C416BB52E2E346DD83C07E,SHA256=1D2A5E7202527643D873581F7454C1D97229C62E97892DFF5CD6E5BA0BFBA418,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:57.634{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B605CC4D3250516F088F6AA37ACB576,SHA256=B950ACCF179929E3201EED3A0AC14A19F375FE236D4A32E13D0964156B418CC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:58.873{6820D070-4AD1-6323-1100-000000007502}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=F1F6290A782F3D8758D8F3E20C737DB0,SHA256=025BAB2DE842AB3666775E18F84BE2C5060F3EADAE4DDBA81C3E0844503174D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:58.689{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3268AA3C7F0C9AD4E9028A5B92C8A8CC,SHA256=6F75813C27B3FBDA8188AEF2B881CF3E11A3FF639C9598D8765048BCABD20BD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:58.655{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:58.655{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:58.655{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:58.655{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:58.655{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:58.655{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:58.655{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192142Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:58.570{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E5998BFDB51616DDF23CEDBF37DD41,SHA256=203E24A0C117ABE46BCC4A871BB7774E0E844EEC1F3578D98885BC9497498A5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.971{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9661C6B2A5AAE982FEFE7A96FE1267,SHA256=52BBE0636F7190FD88EFBBF0385338928FB61D700AE0C5E1B8E0BA5DE5C58CE5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.909{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.906{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.897{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 23542300x8000000000000000192143Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:16:59.662{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406B74A05B5EB76AEDBE4F6EDC47E0AB,SHA256=B66BBFE0294CE3B683536C4D6B39392D3B9FF847D77DC5E12DFAE0A57F931F64,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.382{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.377{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.371{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.347{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.332{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.329{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.327{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.325{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.317{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.295{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.290{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.285{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.278{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 23542300x8000000000000000353356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.267{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\aborted-session-pingMD5=2B078A375EE1AC24B60BA5E9F1F65BE5,SHA256=80DC406434F79E432A1C71386AACA6B1E8186867705B50083628ACA64FE5307B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.254{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.247{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.236{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.228{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.215{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.204{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.151{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.149{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 23542300x8000000000000000192147Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:00.755{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A2EB9FFE8139B0AF67139E567AFF92,SHA256=FB268DF1DBE08415ED4CFA20D0FF94EC18906697EFAF93D91CFA1157C47ACADA,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000353441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=4AF63321DC4A8ED4BE78C257929EA25332B3DDE938582BAA1C110BDBD016760B 13241300x8000000000000000353440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x8000000000000000353439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local2022-09-15 16:17:00.675C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=4AF63321DC4A8ED4BE78C257929EA25332B3DDE938582BAA1C110BDBD016760B 13241300x8000000000000000353438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x8000000000000000353437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x8000000000000000353436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x8000000000000000353435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x8000000000000000353434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x8000000000000000353433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-DeleteValue2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x8000000000000000353432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-DeleteValue2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x8000000000000000353431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-DeleteValue2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x8000000000000000353430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-DeleteValue2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 2553225500x8000000000000000353429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local2022-09-15 16:17:00.675ConfigMonitorThreadFailed to send message to the driver to update configuration - Last error: The system cannot find the file specified. 12241200x8000000000000000353428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-DeleteValue2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 734700x8000000000000000353427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.675{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\ntmarta.dll10.0.14393.0 (rs1_release.160715-1616)Windows NT MARTA providerMicrosoft® Windows® Operating SystemMicrosoft Corporationntmarta.dllMD5=854A3CAE7C97B630158C9F7EE8555970,SHA256=20F0A4D99C5095A0CAC39B816BFC987F64CD051843C79E027714666375986176,IMPHASH=98050D95AE15C8382F287539F2BF65FAtrueMicrosoft WindowsValid 10341000x8000000000000000353426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.675{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.637{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\msxml6.dll6.30.14393.5291MSXML 6.0Microsoft XML Core ServicesMicrosoft CorporationMSXML6.dllMD5=A362CCDBE82A110E864A59410B1C450F,SHA256=D05D510E37824ADF4917CA1F5BCD4F19F48B9664B2188C2CAD14481B6F7E0CC9,IMPHASH=FCAD6732873DA041FB25E83E799A2652trueMicrosoft WindowsValid 734700x8000000000000000353424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.637{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A82FB68F785E73141F5ABC91850595A8,SHA256=416DE0DA209CDCBE9B5D1A868CE972F8FE3399FF62E84EFD46D6FD49BDF7B7B2,IMPHASH=0BE8D1F061DD646F6D2B834CB7C9C900trueMicrosoft WindowsValid 734700x8000000000000000353423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.637{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=E1024CF2E35DD3467F52BC83F7FEDA3F,SHA256=59C87761AD509BD096C2F35257C2370FB94B95160CB63FB9E66DFD8210AB002A,IMPHASH=C852E8FD14D356C81F834E318EEAD7FAtrueMicrosoft WindowsValid 734700x8000000000000000353422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.637{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000353421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.637{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000353420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000353419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\msasn1.dll10.0.14393.0 (rs1_release.160715-1616)ASN.1 Runtime APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationmsasn1.dllMD5=299464D218A27B56684B715365D149FE,SHA256=2BFE4014E06552A9D4201EF9D1C605694AAF2B7B811265EFD91FC6D1C2D48242,IMPHASH=B6562243FBF394F03046E917C719260FtrueMicrosoft WindowsValid 734700x8000000000000000353418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\crypt32.dll10.0.14393.5291 (rs1_release.220806-1444)Crypto API32Microsoft® Windows® Operating SystemMicrosoft CorporationCRYPT32.DLLMD5=0D54B119907CCD11827832973EAB917D,SHA256=78C28A0165B0A2581662CFB3A89E319006518DC2E1A664E6027C7F8EBFA05D92,IMPHASH=42B269CD88D7BD841B43BB1788792A62trueMicrosoft WindowsValid 734700x8000000000000000353417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000353416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=C55F634054E45C0DEE47C254AE009928,SHA256=76EB0FCA87C3AD5FA1C46EB0AF88CF85E172525029E33F5DFC5645EF2EE6F575,IMPHASH=CBD4A2FD581B65B4B1934DA291FA2B86trueMicrosoft WindowsValid 734700x8000000000000000353415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=AA86B65DCB0ECF7263B863DE2A4E8D00,SHA256=2C4E0CA21438A610DCC55E24190146254E959DC5B8A0DE00BE517365CCCB10FB,IMPHASH=181A859176420BBB803F246C0E4B0889trueMicrosoft WindowsValid 734700x8000000000000000353414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000353413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=77BF2979C1A08EBA43C24FE0B7E547BE,SHA256=071E00374806E043A2E78E88C7FDDCE8F5983DE665DF41F3B3210660BF2EF704,IMPHASH=1835EBC72F9ADB09C6FCFABC04AC9C89trueMicrosoft WindowsValid 734700x8000000000000000353412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.14393.2457_none_a13eaee9d8fd5c07\comctl32.dll5.82 (rs1_release_inmarket.180822-1743)Common Controls LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMCTL32.DLLMD5=C89866876D676708892DEEA04A886CDA,SHA256=6C498F9AFFC75DFAADDACB9D1D4248862622FB2B06F0A410BA303A26FEADFF2B,IMPHASH=49FE37530A5C395ADDDAFC2730B16DDDtrueMicrosoft WindowsValid 734700x8000000000000000353411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=D73641916AB4964C7FE9B4A37473A01B,SHA256=4BB60581FB93D73CDC4F1FBEA2DDACE5D16FE61B6E0E16622C326B6E2F407A7E,IMPHASH=2A461CACC80CB7AC077398BD06B4057AtrueMicrosoft WindowsValid 734700x8000000000000000353410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=407E895A220DE1A60C5B555A113FE998,SHA256=FE184347784F83953457146562E0F6C87C8DA04D0288415465631325A2A98C92,IMPHASH=9F3DE8492A7F075320A36332ACC9CAAFtrueMicrosoft WindowsValid 734700x8000000000000000353409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=FC58D75DDAF44088B9101BE2418B1967,SHA256=74A0CCA04F2405A329897A6A1A3E90A0CE48E5772F85E7188C75677CD9D78160,IMPHASH=3C09BDCE2388320645D7656AE2AC744CtrueMicrosoft WindowsValid 734700x8000000000000000353408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\comdlg32.dll10.0.14393.5192 (rs1_release.220610-1622)Common Dialogs DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcomdlg32.dllMD5=F8BDE1A5CF167F3CB31D90BAFCA37CF0,SHA256=F356387B7DA3C0D7C8DE54B1DD08258F0FA974403BE11534CAC2C7A276DDFBA8,IMPHASH=06716A63D3E6F97CB489B0D6810B3519trueMicrosoft WindowsValid 734700x8000000000000000353407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000353405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000353404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000353403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000353402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000353401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\wtsapi32.dll10.0.14393.0 (rs1_release.160715-1616)Windows Remote Desktop Session Host Server SDK APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationwtsapi32.dllMD5=D0DB3DD09FB2B4ADABF4E719FAFC4EB9,SHA256=8B7C056B5F4AB604ED5077A39C63CE1B5A34929DE76DA4A3C54D6E648D123BAB,IMPHASH=AD7CEB919D43FA2BD394EC803EB6BCDAtrueMicrosoft WindowsValid 734700x8000000000000000353400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000353399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\mpr.dll10.0.14393.2879 (rs1_release_inmarket.190313-1855)Multiple Provider Router DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmpr.dllMD5=0E56DB60C434D51769F2DAC48B9AA686,SHA256=3F9AED98B1B7F6A59C219F622FD91C7FD20BFE280935F5334920A02ECCAE7ED6,IMPHASH=46ADE2B067E724C7163A0B1902FEF225trueMicrosoft WindowsValid 734700x8000000000000000353398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000353397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\mintdh.dll10.0.14393.0 (rs1_release.160715-1616)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmintdh.dllMD5=32254E75260F1CAE3AB9EAC044B344B7,SHA256=B714E3CDEB23E63894D62E9335F51E301A9093F263623CCEFA2F674AABE7D629,IMPHASH=92D4FBE8F70FD95D329EA4882A8C3278trueMicrosoft WindowsValid 734700x8000000000000000353396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000353395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=0BC84513575743DA177F3DFE18D35CA7,SHA256=C40F6AA73073995E05E5379AE593A6617E8296C79A78BD7F716D95F98AE0D899,IMPHASH=9060609FCB6C4120D4517877408A4A46trueMicrosoft WindowsValid 734700x8000000000000000353394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000353393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000353392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000353391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000353390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=CFDB018AC09F879CAAE7A66CA7880D57,SHA256=6AB95FD0D142CFFC3B9455AF51F003E1CD75B7F4323820390B975F9E1C8A47A5,IMPHASH=9A7C66851249D4CED6C2C9096DCA243BtrueMicrosoft WindowsValid 734700x8000000000000000353389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000353388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\userenv.dll10.0.14393.4583 (rs1_release.210730-1850)UserenvMicrosoft® Windows® Operating SystemMicrosoft Corporationuserenv.dllMD5=E0F286AF345442E267C33880492CED31,SHA256=5C6D66F5A748551999BE1CDE33A3A1FC2E10D1297EF275D232A9FDCC95BEA84B,IMPHASH=C84FC60AE2A79A06E8C46A6929CDECB4trueMicrosoft WindowsValid 734700x8000000000000000353387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\tdh.dll10.0.14393.5125 (rs1_release.220429-1732)Event Trace Helper LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationtdh.dllMD5=6F455C95F294B3A3E34102BEF294D45C,SHA256=2182F234811B1DF1A366AE925A8167C0BC519AEBAF55A92887E36651EBA7E347,IMPHASH=E0A9B1840595F8507313FB797C5187E6trueMicrosoft WindowsValid 734700x8000000000000000353386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000353385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 10341000x8000000000000000353384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FC8-6323-7801-000000007502}102166736C:\Windows\system32\conhost.exe{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000353382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exeC:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-MD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7AtrueMicrosoft CorporationValid 10341000x8000000000000000353380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000353375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.622{6820D070-4FC8-6323-7701-000000007502}80248124C:\Windows\system32\cmd.exe{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000353374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:00.624{6820D070-4FFC-6323-8201-000000007502}8696C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\System32\cmd.exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon" 10341000x8000000000000000192146Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:00.693{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192145Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:00.693{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192144Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:00.693{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192148Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:01.848{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDCF2D76F281F3E77094E2C4D3F1BD1F,SHA256=03FE8D7FAEC2935F9FCB12924B2DD24808A90931AE4DBFE801FAB9E4B533EA29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:01.966{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:01.965{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:01.962{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:01.960{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:01.958{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:01.956{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 23542300x8000000000000000353450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:01.908{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1492170882E6DB4063D59EB8175D9A28,SHA256=91F1C6D70ED13BA7C1FF6C0A98DE5CBF43E422C61F1A5CDBF4786A3C4807D6D4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000353449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.582{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local64330- 354300x8000000000000000353448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.580{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local50024-false10.0.0.2-53domain 354300x8000000000000000353447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.580{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53427- 354300x8000000000000000353446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.580{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53427-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domain 354300x8000000000000000353445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:16:59.207{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63645-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000353444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:01.676{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BCBABBFAC8D43CC578B50A6491B8975B,SHA256=AC93D9271375DD6E422FB9C2F90C92D341A4288711924D48C7A9FB7C7096C66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:01.076{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F515379CD53C250809C70CD727BEF1,SHA256=06F51063EC0AC3964FF8CF90258730DBB14885BDBDD564326A6A32FACBBCB2D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:01.076{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB751F94E264FDDF148095364FC2B543,SHA256=8F3EA1FC39657C78962E132D8487856C140904E76DBCC087C698FED77B4C2AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192150Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:02.945{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98112841886644268905AC654E63B77,SHA256=837830E0B89B545501BAF23F316C11EDD0ED11F8C91CA513657B72C98A57F33E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.723{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.723{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.707{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.704{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.699{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.695{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.690{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.681{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.677{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.675{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.670{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.661{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.659{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.648{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.605{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.593{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.575{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.524{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.518{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.507{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.501{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.499{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.496{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.494{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.491{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.488{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.483{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.482{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.479{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 10341000x8000000000000000353458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.478{6820D070-4ADF-6323-2A00-000000007502}26163608C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000019870A90) 23542300x8000000000000000353457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.160{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E32ED7B36B0E2AC192332521132B1B,SHA256=52B9784CB1C39325F9942E8CAE91C0EC70F5A9E926C331C41ED1E2BA00ED6C91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192149Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:00.301{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49953-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000192153Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:03.991{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 13241300x8000000000000000353489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-SetValue2022-09-15 16:17:03.528{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d8c91e-0x977e87ef) 23542300x8000000000000000353488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:03.262{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9982A076613CA5443A9D1D02C9157A71,SHA256=D5DD606B61062249528C8313709F9EA402E144672A09B0AB75FA1660ED27218D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192152Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:03.952{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192151Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:03.946{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 354300x8000000000000000353491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:02.597{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local123ntpfalse168.61.215.74-123ntp 23542300x8000000000000000353490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:04.363{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9859865D81F87BDBE939C5A50385306,SHA256=BB4E6A1242A73435CD1C5CE80E4DB1FE269F90ABA7EBAF89C20AE325BF483A40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192187Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.251{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192186Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.237{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192185Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.212{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192184Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.205{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192183Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.193{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192182Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.185{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192181Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.182{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192180Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.180{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192179Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.178{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192178Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.174{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192177Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.169{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192176Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.166{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192175Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.159{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192174Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.159{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192173Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.158{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192172Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.156{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192171Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.153{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192170Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.146{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192169Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.143{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192168Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.141{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192167Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.134{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192166Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.128{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192165Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.117{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192164Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.115{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192163Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.108{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192162Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.080{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192161Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.074{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192160Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.064{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192159Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.056{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192158Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.044{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192157Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.038{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192156Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.022{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000192155Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.018{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D39EE893A74897F3B2FA888FBBAFE332,SHA256=9B9670496D176220EBB788D10945C6DB63A4BD059614AC864751E6A690CF86C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192154Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:04.013{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000192188Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:05.271{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5372FEC56514B9BDA2FF2B09C1DA76E9,SHA256=803A3D1DBBFCD4F6A6AFE8A3E85125800CCC6D9C9AE1CE555E8EFA44CE5EE0D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:05.432{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=388FBD45173B4FABC9857ACE40EEFB80,SHA256=CE95858ECD9A2F21E0568B17F09A8A6B2151FD17FF59FA44EA57FA29150244BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192193Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:06.531{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=864E050444E1522064E1A7793A8242F6,SHA256=709B7E88E3909F90395ECB8C7F77AE7A32A37FC42DEC66AFC3AD60911E7074E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000353501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:04.388{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63646-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000353500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:06.588{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:06.588{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:06.588{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:06.588{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:06.588{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:06.588{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:06.588{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000353493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:06.506{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=491FA1CCF19E4D3C2460920FC316E683,SHA256=413225554EECBFCCECCF561C48D605B9F93DD115BA188DAD08B368B42BEDEAFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192192Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:06.304{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192191Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:06.304{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192190Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:06.304{E743DC12-4ACF-6323-0B00-000000007602}6282712C:\Windows\system32\lsass.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192189Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:06.292{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1D00-000000007602}1944C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192203Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:07.685{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5003-6323-2401-000000007602}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192202Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:07.685{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192201Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:07.685{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192200Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:07.685{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192199Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:07.685{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192198Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:07.685{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-5003-6323-2401-000000007602}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192197Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:07.685{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5003-6323-2401-000000007602}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192196Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:07.686{E743DC12-5003-6323-2401-000000007602}1184C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192195Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:07.638{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56BC4639EC00C93DFD7934F173E303AE,SHA256=5BCE3D68F1DEC28BD09A64AADB80158827709D5DA0B2C7263439B937C6C4310B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:07.706{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:07.706{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:07.706{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:07.706{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+ca500|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:07.706{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+66460|C:\Windows\System32\SHELL32.dll+ca4bc|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:07.706{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+ca490|C:\Windows\System32\TwinUI.dll+100021|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:07.706{6820D070-4B7F-6323-9900-000000007502}29725224C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+ffe59|C:\Windows\System32\TwinUI.dll+10088f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000353502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:07.591{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7221EB9B306F2CC9C86E966A4774FA4,SHA256=2738962BCC7BEAFB86A70AA962613AA375F0A9FB092CB36B361D8BB5A01C91C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192194Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:07.307{E743DC12-4AD0-6323-0D00-000000007602}7885104C:\Windows\system32\svchost.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192214Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:08.778{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4E85ADF8671413F87532C9EC43A2226,SHA256=25C56DE8B620A87A4E50D348761ABA7FCF224BBACABD4836867123CB98AB4B48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192213Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:08.731{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D17725C195F528706F5EF21138EAFDBF,SHA256=4B59FA9E5F3B530C7A05563ED70AD688DDEB98AE70C45766AE3E47D717D90470,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:08.925{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:08.925{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:08.925{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:08.876{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:08.876{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000353510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:08.640{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4806847ECDF0C5AA1E3E5E4505CF02CC,SHA256=FD82CCD965066B5E732F6FCE05A395EFFA2576C008BCBF43583A98B41E0D7491,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192212Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:08.559{E743DC12-5004-6323-2501-000000007602}50162632C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192211Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:08.368{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5004-6323-2501-000000007602}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192210Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:08.368{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192209Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:08.368{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192208Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:08.368{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192207Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:08.368{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192206Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:08.368{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-5004-6323-2501-000000007602}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192205Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:08.368{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5004-6323-2501-000000007602}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192204Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:08.369{E743DC12-5004-6323-2501-000000007602}5016C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192234Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.967{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=1744E1C662749F85066D7B23B34959C8,SHA256=DC18F27ACB7AF10C89C6897873DFE7B046654C6357C6A1317C2117DF3F3C2283,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192233Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.849{E743DC12-5005-6323-2701-000000007602}27801292C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192232Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.833{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=101625E8AE7ADEA1C991103FBDEDA619,SHA256=36BFE97B615AD9551871C98614132F5DFF564F93311378C37D437AF2F2F4A5FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:09.695{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3743C57575CC5A39C701172856D9157,SHA256=30E413C7F211A3B4FD8B578E9D4A9F1A9210E8FBE5AB4AD7FC3B1C73B6713844,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192231Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.693{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5005-6323-2701-000000007602}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192230Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.693{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192229Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.693{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192228Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.693{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192227Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.693{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192226Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.693{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-5005-6323-2701-000000007602}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192225Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.693{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5005-6323-2701-000000007602}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192224Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.694{E743DC12-5005-6323-2701-000000007602}2780C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000192223Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:06.303{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49954-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000192222Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.018{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5005-6323-2601-000000007602}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192221Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.015{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192220Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.015{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192219Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.015{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192218Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.015{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192217Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.014{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-5005-6323-2601-000000007602}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192216Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.014{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5005-6323-2601-000000007602}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192215Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:09.014{E743DC12-5005-6323-2601-000000007602}3132C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000353517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:10.745{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA93BE493731C77B75812B2F29288CBD,SHA256=AE99AF27D54DE320810A4A7DD030C47EAE4FC4CD44F77792C327601CFC0660E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192251Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.909{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5006-6323-2901-000000007602}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192250Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.909{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192249Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.909{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192248Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.909{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192247Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.909{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192246Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.909{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-5006-6323-2901-000000007602}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192245Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.909{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5006-6323-2901-000000007602}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192244Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.910{E743DC12-5006-6323-2901-000000007602}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000192243Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.391{E743DC12-5006-6323-2801-000000007602}23962916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192242Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.235{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5006-6323-2801-000000007602}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192241Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.235{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192240Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.235{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192239Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.235{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192238Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.235{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192237Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.235{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-5006-6323-2801-000000007602}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192236Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.235{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5006-6323-2801-000000007602}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192235Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:10.235{E743DC12-5006-6323-2801-000000007602}2396C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192268Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.986{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=0C6CCD6BD0FFBBC2685F40FB5B0C99BA,SHA256=E2E71D2C6D55A8EABF093718896CCF065D45F583EB60BF64226E1DC62F4D65BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192267Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.580{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5007-6323-2A01-000000007602}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192266Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.580{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192265Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.580{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192264Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.580{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192263Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.580{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192262Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.580{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-5007-6323-2A01-000000007602}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192261Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.580{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5007-6323-2A01-000000007602}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192260Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.581{E743DC12-5007-6323-2A01-000000007602}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000192259Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.148{E743DC12-5006-6323-2901-000000007602}900596C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192258Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.139{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-5006-6323-2901-000000007602}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000192257Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.139{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-5006-6323-2901-000000007602}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000192256Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.139{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-5006-6323-2901-000000007602}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000192255Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.139{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-5006-6323-2901-000000007602}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000192254Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.139{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-5006-6323-2901-000000007602}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 10341000x8000000000000000192253Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.138{E743DC12-4AD0-6323-1D00-000000007602}19442496C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-5006-6323-2901-000000007602}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38850) 23542300x8000000000000000192252Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:11.038{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0662F05684CE29DDFA60C0D5F8E2F6E4,SHA256=9AB14AF4B51757EA1B8357838204AB310B571763E2F2D21306AE6E6EAA5F81B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353589Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.992{6820D070-4E46-6323-4401-000000007502}51768108C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(0000000010FE048A)|UNKNOWN(0000000010FE0290)|UNKNOWN(000000000AC2F9A8)|UNKNOWN(000000000AC2EC64)|UNKNOWN(000000000AC2E1DD)|UNKNOWN(0000000018C94DB9)|UNKNOWN(0000000018C9488F)|UNKNOWN(00000000096CF8F5)|UNKNOWN(000000000965E1C7)|UNKNOWN(0000000017009CDE)|UNKNOWN(0000000009658165)|UNKNOWN(0000000009657B96)|UNKNOWN(0000000009657AD0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 734700x8000000000000000353588Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.985{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353587Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.981{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\Culture.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Globalization SupportMicrosoft® .NET FrameworkMicrosoft Corporationculture.dllMD5=22E9113EA0D1D8252314F23BAD16DD36,SHA256=A731E05FCFCE0B9FCF449DFB589A49C09FC63593D61676F5EE3977CBD47C64A9,IMPHASH=104E17C81D918D1C093DA532DC4F4DBEtrueMicrosoft CorporationValid 734700x8000000000000000353586Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.981{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353585Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.980{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft Common Language Runtime Class LibraryMicrosoft® .NET FrameworkMicrosoft Corporationmscorlib.dllMD5=65E40BDC28FDF5C01C6CF95D6CC45703,SHA256=FE140E0F5D1E06A51E679B26D6A99AA65A2DDCD7C4CD71BD51FEB2939BF6B7A4,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 10341000x8000000000000000353584Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.979{6820D070-4E46-6323-4401-000000007502}51766296C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+92e57|C:\Windows\SYSTEM32\ntdll.dll+78145|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA70FA)|UNKNOWN(000000001B0CFAB2)|UNKNOWN(000000001B0CF286)|UNKNOWN(000000001C3EF715)|UNKNOWN(000000001C3EF637)|UNKNOWN(000000001B29D9E9)|UNKNOWN(000000001B29D841)|UNKNOWN(000000001B29D7F9)|UNKNOWN(000000001B29D69A)|UNKNOWN(000000001B29D4FE)|UNKNOWN(000000001B29D313)|UNKNOWN(000000001B29D1BC)|UNKNOWN(000000001B29C087) 734700x8000000000000000353583Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.962{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\profapi.dll10.0.14393.0 (rs1_release.160715-1616)User Profile Basic APIMicrosoft® Windows® Operating SystemMicrosoft CorporationPROFAPI.DLLMD5=CA6447DDCA724F0C5C0CAFDE184EFE64,SHA256=F9664337B60A332571FCA81CC3E6DD194DCE20C8546980FD283CA892D0CC873C,IMPHASH=6E3C4DB87F2B77C788E86C1A678A8D0DtrueMicrosoft WindowsValid 734700x8000000000000000353582Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.962{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\SHCore.dll10.0.14393.5066 (rs1_release.220401-1841)SHCOREMicrosoft® Windows® Operating SystemMicrosoft CorporationSHCORE.dllMD5=80EE5186671CE3551034147EB20E8D5A,SHA256=4004CA1A47FE31D95444872D19BEA51A83472528001B3E8EC18BA0C843199AE9,IMPHASH=6DF3E31673D2CCEDABFBE5A79390B72DtrueMicrosoft WindowsValid 734700x8000000000000000353581Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.962{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\powrprof.dll10.0.14393.0 (rs1_release.160715-1616)Power Profile Helper DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationPOWRPROF.DLLMD5=A6F22CA344FD1B7D75D49ECC718693C8,SHA256=C7787F59263B7D5246B931531AB4DC4C430E1BF8260775B7A751D4994A5D3489,IMPHASH=689E2A5805AE9CF0919D2DDDDDC411CCtrueMicrosoft WindowsValid 734700x8000000000000000353580Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.962{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\windows.storage.dll10.0.14393.5291 (rs1_release.220806-1444)Microsoft WinRT Storage APIMicrosoft® Windows® Operating SystemMicrosoft CorporationWindows.Storage.dllMD5=B05DBB473918152F51A7F5A10FE250C7,SHA256=85EA95E8D8B1123288E84E5DC8502584288D67B2C692B118411F37774479498B,IMPHASH=A7A8E1C7D8A348EDDDA81702A2FEC068trueMicrosoft WindowsValid 734700x8000000000000000353579Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.962{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cfgmgr32.dll10.0.14393.0 (rs1_release.160715-1616)Configuration Manager DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationCFGMGR32.DLLMD5=90A1CD387F9CB30F86D34B88BFCD83A1,SHA256=5F6CE9777CDC7B0A0E98C90709C41C379415DBA654A39B332BB683A7F2B86E97,IMPHASH=07C997EFB887CE39B75B7896A20F5FFBtrueMicrosoft WindowsValid 734700x8000000000000000353578Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.962{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shell32.dll10.0.14393.5291 (rs1_release.220806-1444)Windows Shell Common DllMicrosoft® Windows® Operating SystemMicrosoft CorporationSHELL32.DLLMD5=65BF71AD92E68AC9BCDFA13C5FF0959D,SHA256=14FDD181EF550EAE500F4B617877BD2DC04827704704A56DCF30446AEEA2882A,IMPHASH=F1F88F7EE16DD2A229F2F5159DB8928BtrueMicrosoft WindowsValid 10341000x8000000000000000353577Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.962{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(000000000ABD9240)|UNKNOWN(000000000ABD9008)|UNKNOWN(000000000ABD8EA6)|UNKNOWN(000000000ABD8DEC)|UNKNOWN(000000000AB7057E)|UNKNOWN(000000000AAAFC09)|UNKNOWN(0000000018C9F54B)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5) 10341000x8000000000000000353576Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.962{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000ABD9008)|UNKNOWN(000000000ABD8EA6)|UNKNOWN(000000000ABD8DEC)|UNKNOWN(000000000AB7057E)|UNKNOWN(000000000AAAFC09)|UNKNOWN(0000000018C9F54B)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC) 10341000x8000000000000000353575Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.947{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+d8ba(wow64)|UNKNOWN(000000000AB70D00)|UNKNOWN(000000000AB70A1C)|UNKNOWN(000000000AB704CA)|UNKNOWN(000000000AAAFC09)|UNKNOWN(0000000018C9F54B)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5) 10341000x8000000000000000353574Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.947{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000AB70A1C)|UNKNOWN(000000000AB704CA)|UNKNOWN(000000000AAAFC09)|UNKNOWN(0000000018C9F54B)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E) 10341000x8000000000000000353573Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.947{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AB70C4A)|UNKNOWN(000000000AB70ADF)|UNKNOWN(000000000AB709EF)|UNKNOWN(000000000AB704CA)|UNKNOWN(000000000AAAFC09)|UNKNOWN(0000000018C9F54B)|UNKNOWN(000000000AAA599D)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000353572Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.947{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13bcf(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+168b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+15b8f(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+fdd2(wow64)|UNKNOWN(000000000AAA7DFE)|UNKNOWN(000000000AAA6E69)|UNKNOWN(000000000AAA5C1F)|UNKNOWN(000000000AAA5730)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E) 10341000x8000000000000000353571Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.931{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA85D7)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+13814(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e8b9(wow64)|C:\Users\Administrator\Downloads\bin\System.Diagnostics.Process.dll+e99e(wow64)|UNKNOWN(000000000AAA6E69)|UNKNOWN(000000000AAA5C1F)|UNKNOWN(000000000AAA5730)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64) 10341000x8000000000000000353570Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.931{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1038C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA70FA)|UNKNOWN(000000000AAA6D52)|UNKNOWN(000000000AAA5C1F)|UNKNOWN(000000000AAA5730)|UNKNOWN(000000000AAA5237)|UNKNOWN(000000000AAA4FC5)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64) 10341000x8000000000000000353569Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.931{6820D070-4E46-6323-4401-000000007502}51768108C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|UNKNOWN(000000000AAA4B7F)|UNKNOWN(0000000018C94CCC)|UNKNOWN(0000000018C9488F)|UNKNOWN(00000000096CF8F5)|UNKNOWN(000000000965E1C7)|UNKNOWN(0000000017009CDE)|UNKNOWN(0000000009658165)|UNKNOWN(0000000009657B96)|UNKNOWN(0000000009657AD0)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|UNKNOWN(000000001B29D69A)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+255d72(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+11adaf(wow64)|C:\Users\Administrator\Downloads\bin\coreclr.dll+4660a(wow64) 10341000x8000000000000000353568Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.931{6820D070-4E46-6323-4401-000000007502}51766544C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64) 10341000x8000000000000000353567Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.931{6820D070-4E46-6323-4401-000000007502}51766544C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e2de(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e4ae(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+6a31(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll+749d(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dfe2(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e0b6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e177(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000353566Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.931{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordacwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET External Data Access SupportMicrosoft® .NET FrameworkMicrosoft Corporationcordacwks.dllMD5=0ACFE06D73EFBCAFACF72A22F7D79E91,SHA256=525591629E48EC84FE78DBC621AE91536E7039B50593B60AD6B3801B1F91EB5A,IMPHASH=F0FBF635B7EFD828980AA6937580AF82trueMicrosoft CorporationValid 10341000x8000000000000000353565Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.931{6820D070-4E46-6323-4401-000000007502}51766544C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dae6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dd11(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000353564Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.931{6820D070-4E46-6323-4401-000000007502}51766544C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+de5f(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+dca6(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e195(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1d732(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+e5fa(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1142a(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 734700x8000000000000000353563Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.931{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9268_none_d08e1538442a243e\msvcr80.dll8.00.50727.9268Microsoft® C Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMSVCR80.DLLMD5=26A95438C2D0E0C41B73D19400F4C2DB,SHA256=CC97DCB66E3150CD14294D21AD0E10C7472DF45CAF37E49675A70ED406882BE2,IMPHASH=7FECBC4A16A5DC85A5394A1DF6217680trueMicrosoft WindowsValid 734700x8000000000000000353562Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.931{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Common Language Runtime - WorkStationMicrosoft® .NET FrameworkMicrosoft Corporationmscorwks.dllMD5=25CEE067AED86FF988C8D31BD7212A21,SHA256=3E0987EFC92F4BCD2798934A70BBEDCADB37899B4F6225279F3685A0DB5BB2F8,IMPHASH=C8D17502D1A38C77CC8770F7291FD333trueMicrosoft CorporationValid 734700x8000000000000000353561Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.931{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\version.dll10.0.14393.0 (rs1_release.160715-1616)Version Checking and File Installation LibrariesMicrosoft® Windows® Operating SystemMicrosoft CorporationVERSION.DLLMD5=181FE38C3FE164FBFC1A5A8399CCC2DA,SHA256=233C31D9FC1C50A3E0688C1E778D356B419ED4A70D7B6870CA7631E4FE5C2AF9,IMPHASH=313B85F092EA5CD18DD8311E8921D208trueMicrosoft WindowsValid 734700x8000000000000000353560Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=4BA1C50E6607AE70495B58874963B901,SHA256=72BBBB4145E058C3B12504AC0EC128CD44E282D40959D018192899276A2B9C69,IMPHASH=9F60CD6001B5CEA647B250DFF3B6F65AtrueMicrosoft WindowsValid 734700x8000000000000000353559Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\imm32.dll10.0.14393.0 (rs1_release.160715-1616)Multi-User Windows IMM32 API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationimm32MD5=203F58BA41B48A59D6A047E0233DB422,SHA256=4204F7C2B4E13AA3819A180FACA724435F6400FE97D2EF6C74634A0D7E51F7F3,IMPHASH=EA6E499F92F9040E9609EFDC47BE01FEtrueMicrosoft WindowsValid 734700x8000000000000000353558Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=AF2A9437F3AED2E8254B7E1EB6E96782,SHA256=D8F3C957BDBD9DB510E71B07CDE1B446491D4DC520787548060B3AAD1324C62A,IMPHASH=5D2578ED274AAD83C30A3917C98404EEtrueMicrosoft WindowsValid 734700x8000000000000000353557Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=318804DFF282AE5C2FEF5577057CB913,SHA256=A65C5C3F38A793F0C59C1A4553940D6D236CE2BC3380898E865BF0E1F80FEE8C,IMPHASH=5D92B73B6930EFBC71A36B7FEF62DF62trueMicrosoft WindowsValid 734700x8000000000000000353556Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=8B516F883167509677B58B9984D8EEA2,SHA256=47F9B88E4038517FC8C5FEB3AC04B21A885EE505143952C96A23FE851869A90E,IMPHASH=E698C8E2E06172CDB524686FF10A5C5EtrueMicrosoft WindowsValid 734700x8000000000000000353555Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=E9E209227AF7EFBFDAAA0B932251486D,SHA256=639DD063669F506790DA8C940E3BEBE4F7CF31668260F94CF5A67C93021D2BDF,IMPHASH=25AFDCBDCE8BEB6A7109D378495BE552trueMicrosoft WindowsValid 734700x8000000000000000353554Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=F058FE3C5E3DEF875A654A18551D88E5,SHA256=78DC0394AA359DBD2EB8BE7F13FEDF0478C8AA55785712B358FAC1C97D051B87,IMPHASH=44F906D172B935DEA0C5D038C6FA8449trueMicrosoft WindowsValid 734700x8000000000000000353553Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=9629C30BA0F10D72FD189FCA987B0E29,SHA256=4DDAF3BB8CE239A8AD41F333AE7D2AD6B7763B9ED8B862695B67F60E5ADE031C,IMPHASH=7E0E904C0FD68DBF5F794D700C0C3C3DtrueMicrosoft WindowsValid 734700x8000000000000000353552Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shlwapi.dll10.0.14393.5125 (rs1_release.220429-1732)Shell Light-weight Utility LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationSHLWAPI.DLLMD5=6CE01AB1C2063B171AD7432B130FEBBD,SHA256=F554E9818C54F6C760C6E53BAEABCA3F5CAD683C028460307F3D93C7A8B06F02,IMPHASH=2D7046CEF5DEEA9D960D37CB0A98F146trueMicrosoft WindowsValid 734700x8000000000000000353551Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoreei.dll4.8.4180.0 built by: NET48REL1LAST_BMicrosoft .NET Runtime Execution EngineMicrosoft® .NET FrameworkMicrosoft Corporationmscoreei.dllMD5=606B77C072A964DA4E4710151CAC86EB,SHA256=C6C9E8D77B62C7A52E6E9EAC764C1E1345779FC17544B80730E507627A5D5120,IMPHASH=25F1E57C7A6ED06AAF329CB7B168FA29trueMicrosoft CorporationValid 734700x8000000000000000353550Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=6215B591FCA75825262B29613A48836C,SHA256=B34EED73CE76E4AA1A0812E9BE1AE093549B164341F988CA877E27E545C3C1B8,IMPHASH=918DADABE6E41CFBB03F954A46D3F72EtrueMicrosoft WindowsValid 734700x8000000000000000353549Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=3D4308BAC53B881B16D9BD1006ABDC65,SHA256=26DF85FC22F9FCAA2212CB66612FE8F5CC6382953FE81B9C34128E43080C7891,IMPHASH=C7D6B46400E43E7BE538D1CCB512EC25trueMicrosoft WindowsValid 734700x8000000000000000353548Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecurity.dllMD5=1B90C58145F4B3C0743C470793469AD6,SHA256=21D752964E10DBB4DFC589856AA808D31E301B93C9E5FF6D1655D32FBD00AF44,IMPHASH=AC11100B3FFA7FCAFA188E618E4C7CC1trueMicrosoft WindowsValid 734700x8000000000000000353547Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=C6EE0DB29435BF41835FFA96EB2F14C5,SHA256=CAF9E05D47F84728986E1BF563B3B87FAF3522F4E0CC4FD95694F418C307AD92,IMPHASH=DFB6F6F4811855AE14F8E8492E1C602FtrueMicrosoft WindowsValid 734700x8000000000000000353546Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=495127E6E6D5CAEDE18A809EAEFFC349,SHA256=9F621D36BCD75AE97E1BCBA9BBFD75FEC74C6CA87AEF81F3190173CBF7CC2A45,IMPHASH=C3B61C1F5D46A607D624033E7094E4FFtrueMicrosoft WindowsValid 734700x8000000000000000353545Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=F3B7F231407DD207CABC94C9347984AC,SHA256=053A1D95EEB426416278D2AD7D584FDD984A8B445CC88B46785AB8666383FB0B,IMPHASH=B5CBF1B1B5086E2C500FD84325E04D44trueMicrosoft WindowsValid 734700x8000000000000000353544Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.915{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=0887C15A40AA6286ABACDF5FA5EADFC8,SHA256=C031E35864A113C505E5E1CCBF9BE34164823C67E41604A60276D1B89ACE08D7,IMPHASH=8B861EA72FDD6FC722328B2746B13380trueMicrosoft WindowsValid 734700x8000000000000000353543Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=25ADC994F9AF8716E35487995DDB45CE,SHA256=47B573E7708AAA00F2BE6E8EB7F3CB1B4817E65FACBBB1D772970A8F710DAF61,IMPHASH=6E1D0A92C1917EFBFC1EEA82FA5E155FtrueMicrosoft WindowsValid 734700x8000000000000000353542Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000353541Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\mscoree.dll10.0.14393.0 (rs1_release.160715-1616)Microsoft .NET Runtime Execution EngineMicrosoft® Windows® Operating SystemMicrosoft Corporationmscoree.dllMD5=2582AA6C1F88D34B37B7F82D790D232E,SHA256=AA948BB6583057E2E2F299EBD1717A42D6559CA27AF6BC756D3C3BB4109E4E77,IMPHASH=900F88A34CE398C54C9022F5335E8EA9trueMicrosoft WindowsValid 734700x8000000000000000353540Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64cpu.dll10.0.14393.3503 (rs1_release.200131-0410)AMD64 Wow64 CPU Microsoft® Windows® Operating SystemMicrosoft Corporationwow64cpu.dllMD5=C1F2078639481364EA3FDD10CBEB1A18,SHA256=B63E6DC0B3D7ABA9CB95929A1A360208A570CB2072474276F649B68F1AC8DC82,IMPHASH=15CD876FB3F6EC97A2F7466360415F86trueMicrosoft WindowsValid 734700x8000000000000000353539Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000353538Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000353537Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=2BF0F8D3C4FB14CB0DB195FED475AC53,SHA256=42360027F12D825CFA04158EEF4DE264AC74C7FD48C2C2EE384519714183436F,IMPHASH=EAF4CC449835E7A81A8EEFEBEB2E8FC7trueMicrosoft WindowsValid 734700x8000000000000000353536Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000353535Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64win.dll10.0.14393.3383 (rs1_release.191125-1816)Wow64 Console and Win32 API LoggingMicrosoft® Windows® Operating SystemMicrosoft Corporationwow64lg2.dllMD5=62DEBA17D0A26B352F1C3F02144BC6EA,SHA256=5A1C08FE318942CB31048DBD641E25610DE842E34470B3E54FEDCA4E2642D4E0,IMPHASH=3045357B61B63AEF6CBCD96F2FA7E9D8trueMicrosoft WindowsValid 734700x8000000000000000353534Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\System32\wow64.dll10.0.14393.3503 (rs1_release.200131-0410)Win32 Emulation on NT64Microsoft® Windows® Operating SystemMicrosoft Corporationwow64.dllMD5=447615F19DAAFF9C308370C59F493BF8,SHA256=45ED2009CEEB249BBF518B958AF02B97E667DB68C9B6D65642E69E9B0300CF5D,IMPHASH=03B9E38A9E88FDC66380837CCC8647FAtrueMicrosoft WindowsValid 734700x8000000000000000353533Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=B04953E4C38042AD2628FA49AB42AB5C,SHA256=7B2B4662D3EE0D6DD673C0FEEE4B28E2E16ABF534DF3076497C6B6B40E8BE9C1,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353532Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353531Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exeMD5=3C907809BF409DFC1B14320749711692,SHA256=2C23D19BE9D8132A791A3EE3983212BA4CF82ADAB54F87642AF572721BB081AE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744false-Unavailable 10341000x8000000000000000353530Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-4E46-6323-4401-000000007502}51765936C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d6e0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ca(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+d7ea(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+f6f0(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+eb46(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a9a1(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 10341000x8000000000000000353529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-4B7C-6323-8800-000000007502}6284268C:\Windows\system32\csrss.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000353525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-4E46-6323-4401-000000007502}51765936C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\wow64.dll+10c0b|C:\Windows\System32\wow64.dll+10499|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6f66c(wow64)|C:\Windows\System32\KERNELBASE.dll+d9328(wow64)|C:\Windows\System32\KERNELBASE.dll+d800c(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a871(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a937(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+1a720(wow64)|C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscordbi.dll+ca3d(wow64)|C:\Windows\System32\KERNEL32.DLL+162c4(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b69(wow64)|C:\Windows\SYSTEM32\ntdll.dll+61b34(wow64) 154100x8000000000000000353523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.904{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0.0.0.0 --aLSZnlmnjFkdUuYoWBWV.exe"C:\Temp\agent_tesla-deob.exe"C:\Temp\ATTACKRANGE\Administrator{6820D070-4B7D-6323-1F63-0C0000000000}0xc631f2HighMD5=3C907809BF409DFC1B14320749711692,SHA256=2C23D19BE9D8132A791A3EE3983212BA4CF82ADAB54F87642AF572721BB081AE,IMPHASH=F34D5F2D4577ED6D9CEEC516C1F5A744{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe"C:\Users\Administrator\Downloads\dnSpy.exe" 10341000x8000000000000000353522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.900{6820D070-4AD1-6323-1000-000000007502}4286492C:\Windows\System32\svchost.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.898{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9fdf|C:\Windows\System32\SHELL32.dll+cab85|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.898{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+caa9e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.882{6820D070-4B7F-6323-9900-000000007502}29725276C:\Windows\Explorer.EXE{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+c9964|C:\Windows\System32\SHELL32.dll+caa67|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+13becf|C:\Windows\System32\windows.storage.dll+13ac5b|C:\Windows\System32\windows.storage.dll+13917f|C:\Windows\System32\SHCORE.dll+367b6|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000353518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:11.815{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA3C3E5409CBE77EC97581411D4482D8,SHA256=2B7ADDF1CABD21A358187F2F354DDAAC3E3929B25A22273601BD0B5FFB6FECD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353638Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.964{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20B83A35AC2A96EA7668C466EF4CB338,SHA256=9D2081C327A97C93419691113421E68B2BB37615E26B14D0BA8630C7AE12231D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353637Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.849{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E83CAE51905D59D7E8BDA65A122A840,SHA256=DF53044BD68B2B030548FBAB6BA5090B21B812048094B348ADDF347EB42CDA1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192269Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:12.113{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B8CA16BECE044318EC78A52F2F1631,SHA256=D8C44326E5056063C770E8D1E83113926720800F4CD841D1C9384DBA804B7735,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353636Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.467{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017009443)|UNKNOWN(00000000170093C9)|UNKNOWN(000000001700933D)|UNKNOWN(0000000017009266)|UNKNOWN(0000000017009172)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 734700x8000000000000000353635Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.467{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\WMINet_Utils.dll2.0.50727.8745 (WinRel.050727-8700)WMINet_Utils.dllMicrosoft® .NET FrameworkMicrosoft CorporationWMINet_Utils.dllMD5=FE3A877218F498F90DD1D097FB770BFA,SHA256=7B7AB5348E3143DB00D0FCE36E5A75867046B5C60FC52DC9E0A166CA2FDF714E,IMPHASH=422758B458E7A457D744549F961156CCtrueMicrosoft CorporationValid 23542300x8000000000000000353634Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.434{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52C8A774BA5A3A7FA952EC85F781F0B,SHA256=B9F9088816A0076F5A0A4C58E030A40F817771AADBA9AF125B0A4310EF02316D,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353633Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.364{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353632Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.364{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353631Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.364{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Management\2.0.0.0__b03f5f7f11d50a3a\System.Management.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Management.dllMD5=958FDDB17C667F7A3B6DCAF7A65D77CA,SHA256=2E169CCA1C98C89149E2022FCD0EDAC5037BFD5B4CBB7A6C38FCBBA048C42023,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353630Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.317{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000353629Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.317{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000353628Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.301{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Framework Custom MarshalersMicrosoft® .NET FrameworkMicrosoft CorporationCustomMarshalers.dllMD5=42DA151FFF2A55E85E078829BF3A0000,SHA256=2D942049C5C2BF2A6B7230BC7815B1759100E70125A9FC8C865FA87EF2FEA9C5,IMPHASH=6158BA7CC8ABE8F855A2AF17A6D4B2C0trueMicrosoft WindowsValid 734700x8000000000000000353627Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.263{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\sxs.dll10.0.14393.5246 (rs1_release.220701-1744)Fusion 2.5Microsoft® Windows® Operating SystemMicrosoft CorporationSXS.DLLMD5=2A16D108FE99577ABCC08B92F2765971,SHA256=AF5268F39CE35FA3215E8162A0BF4C1949D0F5FB7A284953362ED23507C5697F,IMPHASH=36E120EA05F8714D20693A7DA02D7326trueMicrosoft WindowsValid 734700x8000000000000000353626Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.263{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000353625Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.247{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000353624Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.247{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000353623Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.231{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000353622Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.231{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=89AC96525FB527CDF4FFDCDF657A3923,SHA256=737BC5E7586D9AB6306949B1470DB3DBE576638A010EEF7A297126BE30841C2F,IMPHASH=844732D10340F10C1E97778BA10CF30EtrueMicrosoft WindowsValid 734700x8000000000000000353621Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.231{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000353620Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.231{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=7BC54AA66588A3DF7B1448A4493C6663,SHA256=9CB1BA7C092164DAA14E21454606905E294D137AD72158F92A666077D7CF1946,IMPHASH=2DCB08A6E31A83C3EA33C5793EFA9A56trueMicrosoft WindowsValid 734700x8000000000000000353619Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.231{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=0D885953D657434CA5015545A364BDB9,SHA256=1D29921E136F84B4CA9F1EBD646CFFF4571EA805A6CC5BC1F7C7784CC3246088,IMPHASH=76F056ED62EDF4D48793D8C5EDA733ADtrueMicrosoft WindowsValid 734700x8000000000000000353618Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.231{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 734700x8000000000000000353617Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.231{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\clbcatq.dll2001.12.10941.16384 (rs1_release.210107-1130)COM+ Configuration CatalogMicrosoft® Windows® Operating SystemMicrosoft CorporationCLBCATQ.DLLMD5=A5DBC147158A0FFB44246C9452A1C9E1,SHA256=D7763F384F902F00980FE6A2ED0F254AF0539B66AAABFF64413B0D17606000A9,IMPHASH=CAC6B3339C5CAA083E24A4484EE86E29trueMicrosoft WindowsValid 10341000x8000000000000000353616Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.231{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353615Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.231{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=857A10F193FD44C58B11C90F04C4E62D,SHA256=33AB6056C7DED486E75E1D410233354A8BC326E4ABE95DF5566F68283014587B,IMPHASH=34AF29CE553D01A9CE643682A40D7CB5trueMicrosoft WindowsValid 734700x8000000000000000353614Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.231{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\cryptsp.dll10.0.14393.2457 (rs1_release_inmarket.180822-1743)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=940907E5BEF86AF8B1D4C6FF2A98061E,SHA256=6F87C4B18D0A22A7A01C3F2176A18229B78106C9A7FC3F878892F0FD9706040C,IMPHASH=789B4484C292CAC32E0806DEE3E8734AtrueMicrosoft WindowsValid 734700x8000000000000000353613Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.216{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives Library (Wow64)Microsoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=80F9B9D2B1258D35F129D9210DC9CE20,SHA256=9653E29AA9499123EBFA49C4BA69E345F8A10029B00B790946DDFE040436EF6D,IMPHASH=61592743BFAEF2F12950E5420FA2AEB1trueMicrosoft WindowsValid 10341000x8000000000000000353612Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.131{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353611Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.116{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353610Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.116{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353609Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.116{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Microsoft.VisualBasic\8.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll8.0.50727.8745 (WinRel.050727-8700)Visual Basic Runtime LibraryMicrosoft® Visual Studio® 2005Microsoft CorporationMicrosoft.VisualBasic.DLLMD5=CF29781E0DDE50FADF81C98AFF4FC10E,SHA256=1C5084ECBBC3B9C976A44E6B0D335F83AFF78194C8C90F904C13E8C36BB628A9,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353608Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.116{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353607Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.116{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353606Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.116{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System\2.0.0.0__b77a5c561934e089\System.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.dllMD5=9178314010A9838BDEBA4C83B1F5F1CC,SHA256=2AD8E588254C7A26C2FA224AAFC0BADE9EBEC421624FDD3E798042A0AAA8322D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353605Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.100{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353604Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.100{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353603Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.100{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Windows.Forms\2.0.0.0__b77a5c561934e089\System.Windows.Forms.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Windows.Forms.dllMD5=D7BE1A5DFB5FA4F5FDF413A7B4B226B3,SHA256=2BF63A02DD33395465CDADBF7276D2B6E95B43235CEC21B0931D4328EE03D31C,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353602Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.100{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\diasymreader.dll8.0.50727.8745 (WinRel.050727-8700)Dia based SymReaderMicrosoft® Visual Studio® 2005Microsoft Corporationdiasymreader.dllMD5=7D6A7AD508368F8A41E19A593BF8152A,SHA256=9385717A62043C46A22A99893139475ACB44C0096DDE9954C9BDED721F4581A2,IMPHASH=E2ADD10FCF5C120524D6149FB9E129DEtrueMicrosoft CorporationValid 23542300x8000000000000000353601Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.078{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A75D7A7350A54FE6CE2AEE5DE5F886,SHA256=2BC1AEBCB8B5A53C7F6DDE6BFC7C165E42738D8A72ABDD4595EA9DCF20EAA5FE,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353600Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.025{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll2.0.50727.8745 (WinRel.050727-8700)Microsoft .NET Runtime Just-In-Time CompilerMicrosoft® .NET FrameworkMicrosoft Corporationmscorjit.dllMD5=942A0FD4301180517656DF2D7DF45574,SHA256=B9648A085BD060F253D28351E5FED798CE5893B69FA4E221D44C99F460D05936,IMPHASH=458AE5B7483D2B3344CEEB01EB67E386trueMicrosoft CorporationValid 10341000x8000000000000000353599Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.020{6820D070-4AD1-6323-1500-000000007502}12201384C:\Windows\system32\svchost.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39d09|C:\Windows\SYSTEM32\ntdll.dll+1e89a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353598Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.020{6820D070-4AD1-6323-1500-000000007502}12201256C:\Windows\system32\svchost.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353597Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.020{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\uxtheme.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft UxTheme LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationUxTheme.dllMD5=E1A1B98F2AD180FA2117A56D869E5830,SHA256=2D9711E9D549CCB441EF21F72F08FB4EACD5F2990193C6FFFC7E7AC92FA6E670,IMPHASH=1FCD5DF5B3D97346B0A828B1CFDB1ED1trueMicrosoft WindowsValid 734700x8000000000000000353596Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.017{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=33842D2EF1AFD0E94F73E24E55724418,SHA256=EBD2C419EB5B75270E1CC6F80FABD899C8F7B787F742CF3B0F608BB807197DF1,IMPHASH=6FE75EB0A263DD16629B09AECE416B36trueMicrosoft WindowsValid 10341000x8000000000000000353595Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.017{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000353594Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.017{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000353593Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.017{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000353592Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.016{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1010C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000353591Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.016{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 10341000x8000000000000000353590Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:12.016{6820D070-4ADF-6323-2A00-000000007502}26163240C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80190) 23542300x8000000000000000353649Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:13.919{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2DB42E81EDFB777157D1D3584332C7E,SHA256=C3E946DDE205110E9095F657135FEFC2C5E0548916AF0AEEE3A08863F81B8CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192270Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:13.212{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F307A866DA10AC6FB106335FA01FBED,SHA256=B068ED14ACC8E17F23389C60B414DBFBE10BFB84C2DD68D4288CF2D2F694D315,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353648Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:13.734{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\WinTypes.dll10.0.14393.5192 (rs1_release.220610-1622)Windows Base Types DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWinTypes.dllMD5=C3EAC9E7B604696B078D4275571F58EC,SHA256=8A1F5F88F70C1BD511AE7D0E03D6ABAE1778D59D10041D17B562FE9190559A0A,IMPHASH=E5E8B16505186AC32311EE602EA3C845trueMicrosoft WindowsValid 734700x8000000000000000353647Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:13.734{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\vaultcli.dll10.0.14393.5066 (rs1_release.220401-1841)Credential Vault Client LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationvaultcli.dllMD5=0F9CC4F83FDD30CA09546038D0C1500F,SHA256=754954935A1BB01C0695252B16EDF251F7FF2D66BFB00450CF038D0AA079B844,IMPHASH=8721D7F174531C1C4F8942462C87C899trueMicrosoft WindowsValid 734700x8000000000000000353646Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:13.685{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353645Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:13.685{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353644Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:13.685{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Xml\2.0.0.0__b77a5c561934e089\System.XML.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Xml.dllMD5=6A146F9D3906B27C239265A59E380270,SHA256=7900A67FBAA2A99BFE84CA06D28E5852C6D5998F702C1891381CCF08F23A0885,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353643Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:13.565{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\shfolder.dll10.0.14393.0 (rs1_release.160715-1616)Shell Folder ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationshfolder.dllMD5=83D8A4E04F99C5FD749D34CC4B970A0E,SHA256=0924F96973B3CE4F15BB7947E6C593B3EA1015E459BF70C3A247A31632EF2ACA,IMPHASH=A262E121DDB8823B3F2D530403B9D7E9trueMicrosoft WindowsValid 10341000x8000000000000000353642Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:13.550{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+26e07|C:\Windows\system32\lsasrv.dll+27f99|C:\Windows\system32\lsasrv.dll+26c85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353641Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:13.550{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cd4|C:\Windows\System32\RPCRT4.dll+2bdcf|C:\Windows\system32\lsasrv.dll+26bcd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353640Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:13.518{6820D070-4E46-6323-4401-000000007502}51769140C:\Users\Administrator\Downloads\dnSpy.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+2e9e|C:\Windows\System32\wow64.dll+2d80|C:\Windows\System32\wow64.dll+2d08|C:\Windows\System32\wow64.dll+3c0a|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecec(wow64)|C:\Windows\System32\KERNELBASE.dll+eec5b(wow64)|UNKNOWN(0000000017009443)|UNKNOWN(00000000170093C9)|UNKNOWN(000000001700933D)|UNKNOWN(0000000017009266)|UNKNOWN(0000000017009172)|UNKNOWN(000000000DC4ADBC)|UNKNOWN(000000000DC493C5)|UNKNOWN(000000000DC48E6E)|UNKNOWN(000000000DC48DA8)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+256d71(wow64)|C:\Users\Administrator\Downloads\bin\System.Private.CoreLib.dll+25f311(wow64) 354300x8000000000000000353639Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:10.347{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63647-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000353650Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:14.984{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFF4D4DC4717F21FEC75952A48D6630,SHA256=D50A18697CCF2BBF52BB2FC03EF00D55E43CC6CD79F6AFF728D0C2E4B50E0649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192272Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:14.296{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233603706491A9B079DD7E6B12593DA7,SHA256=1D8CB9C50666B3051AC69DCB5F7E7E194F1EEF610D2F73DC10D8E1F2245AD465,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192271Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:12.242{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49955-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192273Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:15.391{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A401BC8D247C831597CED23B03364FD0,SHA256=1CE0201CFAB765DD98F404433DF13B76AF1D9309A0A290E1768936A7B99957A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353654Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:15.406{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353653Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:15.402{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353652Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:15.402{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000353651Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:15.165{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=409F19E774C384E09949CBA3FCE08FAB,SHA256=6F572FD958601DCB7EB7EED304673114304FE4FD943444F47B8000CBAF4A0C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192274Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:16.494{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9779B651ED5CCB41C3F980982F5F449,SHA256=FA73F3327DAF8A2E8901CF652185405D61960B9495054DEC126B8DDB273C8B3B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353666Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.998{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=380F0481E3BA9EA699BB6F674A500745,SHA256=ED5F6D3E1F27292480800E540E5F60CF8E8A157B52AC47ACA8B81F57F63F30F0,IMPHASH=2B9681B9C7B5E00CD2814399F4685385trueMicrosoft WindowsValid 734700x8000000000000000353665Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.998{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\OnDemandConnRouteHelper.dll10.0.14393.0 (rs1_release.160715-1616)On Demand Connctiond Route HelperMicrosoft® Windows® Operating SystemMicrosoft CorporationOnDemandConnRouteHelper.dllMD5=DF275C9659ED8215695B572A8CE17FBC,SHA256=D8F3C962E828201B361A6F634412B7BE25EC1BD3F848F259E3C996BB9572B0FB,IMPHASH=BBDB119EC3E50CDEAA84B3E28AC52C3DtrueMicrosoft WindowsValid 734700x8000000000000000353664Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.996{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\winhttp.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows HTTP ServicesMicrosoft® Windows® Operating SystemMicrosoft Corporationwinhttp.dllMD5=8F6507E78B57C5C15C125EF3904F4A68,SHA256=213845D780A00F05ED859C2B2D257085E7100817F135D3CDB299874D402C0B53,IMPHASH=D569F6E4A4CC77554BFC5FE46045DA9AtrueMicrosoft WindowsValid 10341000x8000000000000000353663Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.960{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353662Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.937{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\mswsock.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft Windows Sockets 2.0 Service ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationmswsock.dllMD5=F18662FD1BCB04019CA35313C7BD1AB0,SHA256=44968455D3EEA914958BF90A83BA9311E9311676C32D8D46BB6109DF655738A4,IMPHASH=3BCAD7DA03A0242A2A34491F77EA8067trueMicrosoft WindowsValid 734700x8000000000000000353661Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.932{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rtutils.dll10.0.14393.4825 (rs1_release.211202-1611)Routing UtilitiesMicrosoft® Windows® Operating SystemMicrosoft CorporationRTUTILS.DLLMD5=AFD803265386C9791F6A26C98A52B1E4,SHA256=F7D8E4CCD3E32B9F3937C93940F0D6C5D453FB77C5E2E66C14B50C354FF934FF,IMPHASH=CA2D0A2353175BFD399FB5381901EA00trueMicrosoft WindowsValid 734700x8000000000000000353660Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.931{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rasman.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access Connection ManagerMicrosoft® Windows® Operating SystemMicrosoft CorporationRasman.dllMD5=5FA2F260361FC794573481F9EC54B03F,SHA256=58EE3CD71D7C6E004F4F99655C4BA715DF3A1F0305A2EC08F8662739AE5D97DB,IMPHASH=8B20BEBDEB3F8196B52FC66611947B06trueMicrosoft WindowsValid 734700x8000000000000000353659Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.930{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rasapi32.dll10.0.14393.4283 (rs1_release.210303-1802)Remote Access APIMicrosoft® Windows® Operating SystemMicrosoft Corporationrasapi32.dllMD5=AF871935624629AA6B8DE455E8FB6487,SHA256=1C68A46D61720D2ACE4B1A31AF289CA50FF0FF00120401D209630A8AE970C98A,IMPHASH=79522D6413DA1768058547C716FAB849trueMicrosoft WindowsValid 734700x8000000000000000353658Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.794{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353657Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.794{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353656Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.794{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Configuration\2.0.0.0__b03f5f7f11d50a3a\System.configuration.dll2.0.50727.8745 (WinRel.050727-8700)System.Configuration.dllMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Configuration.dllMD5=6E9FE32D7D938180DB306069FA9FBA62,SHA256=52A75F094CC93AD4A13147734BEEEC8F0CA989FF182BF6E9FDCFB69BF59A4A9D,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 23542300x8000000000000000353655Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.066{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B67C9261EE9108B663E734FE8A5766,SHA256=37ADA69988FA4E0900FB774F0C45ADE010B4B90E77C55E128C0FE3A37184BF2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192275Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:17.597{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D14591E9215C383454DD54C6B35C9C3,SHA256=C4F88F05E97220A9ABA49F4E3CBDE9FD13582423941943D046F3C058771F6E99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353675Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:17.127{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=636DB1C2C8C2B7F810940449DE0904C5,SHA256=E95E536CF4AEF585BCB280E8765BF2BD09F8E93768D2D2EFD0E8CBB5988CEF46,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353674Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:17.058{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\FWPUCLNT.DLL10.0.14393.0 (rs1_release.160715-1616)FWP/IPsec User-Mode APIMicrosoft® Windows® Operating SystemMicrosoft Corporationfwpuclnt.dllMD5=BA22C7AFE02E09916C5664E1DD98A879,SHA256=459AAE00EF66DADD15FB86684FFA028F0589C470A10EB27E0EA59C9E33C17E94,IMPHASH=58B9E3FB550C715872D0FDCF7F80C373trueMicrosoft WindowsValid 734700x8000000000000000353673Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:17.058{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\rasadhlp.dll10.0.14393.0 (rs1_release.160715-1616)Remote Access AutoDial HelperMicrosoft® Windows® Operating SystemMicrosoft Corporationrasadhlp.dllMD5=49F66601F196554BC9B36310CE84F011,SHA256=44FD17A3EC95EC7D0F568E132A6793BEB7582A8B48E7EEEC6C958BD217CFCA6A,IMPHASH=C910DDFE30DC1006ADAE67F73F17158EtrueMicrosoft WindowsValid 734700x8000000000000000353672Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:17.043{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\winnsi.dll10.0.14393.2339 (rs1_release_inmarket.180611-1502)Network Store Information RPC interfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationwinnsi.dllMD5=5777A6C6196919EBE8B73B273DF5FAF6,SHA256=062F973C688650068FD4B3E2EB0E474CE204120ED3E18CDC341C0A3E528C7839,IMPHASH=DC23FFFD2EBC3578D9A77CC0B9DC22C2trueMicrosoft WindowsValid 10341000x8000000000000000353671Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:17.043{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\lsasrv.dll+787ac|C:\Windows\system32\lsasrv.dll+e8134|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353670Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:17.043{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=FEC73B133C8A34087EF9E872CD1CD45E,SHA256=4BF805F38A47FAFE9E039DE56DD1B9E36B40561C6D3FD3C75907F35CAA91D9A6,IMPHASH=228F99E8B005CFF18296089AF6DEA022trueMicrosoft WindowsValid 734700x8000000000000000353669Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:17.001{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dhcpcsvc.dll10.0.14393.3930 (rs1_release.200901-1914)DHCP Client ServiceMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc.dllMD5=68C7867BEB2A710D14B70D96C4D7DE4E,SHA256=DA093049898D4608579C739B6A63DC98A3FBA57ABDDBFB94C48D2A8335BA0CBD,IMPHASH=02FB3A0617EDCFE43788537F1544278CtrueMicrosoft WindowsValid 734700x8000000000000000353668Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:17.000{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dhcpcsvc6.dll10.0.14393.3930 (rs1_release.200901-1914)DHCPv6 ClientMicrosoft® Windows® Operating SystemMicrosoft Corporationdhcpcsvc6.dllMD5=48821439687840212B6457EDD266FA1C,SHA256=F3E9CC2B98D7E0CEBCFCC7906926E839436358437EF10E335CAF7FFAB9E13DC5,IMPHASH=F55036BC63B11DD610F1F8CFD77D76A7trueMicrosoft WindowsValid 734700x8000000000000000353667Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:17.000{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=CDDE3316B3736A9613F31610AC137C9E,SHA256=545CD6206CC1CD22A7CE8B4845CFCE3E06AAD97D4334588A52F0F143CC8AD171,IMPHASH=5C77750BF609660A7729B242FA74E98CtrueMicrosoft WindowsValid 23542300x8000000000000000192276Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:18.690{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57AE98E2B3065473A0F3CD7CE7F14E15,SHA256=3FBB9C3C21661410F97145B0559399B866713D71814204F96E42224D505B9AD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353677Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:18.163{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E29634A547E41AE983C8741250EA9221,SHA256=D5613082BF0B0D49C257E3C8EB6787CB976B2E3039E927217E783E3CBBB1785B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000353676Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:18.136{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000192277Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:19.788{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3B625491564FAF865BDAD8E8957975A,SHA256=8D605BE84849DB50BD7F07394A5788D4E690B48CCC8766B7F31AEF1185F25F04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353704Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.906{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353703Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.905{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353702Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.900{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353701Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.549{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353700Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.544{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353699Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.538{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353698Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.529{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353697Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.524{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353696Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.521{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353695Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.519{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353694Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.517{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353693Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.501{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353692Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.447{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353691Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.435{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353690Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.426{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353689Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.399{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353688Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.373{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353687Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.352{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353686Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.315{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353685Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.286{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353684Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.266{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353683Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.250{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000353682Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.215{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2554B745E626E262BE3721DF4CAF057,SHA256=4F51336CE89CC7A37544DFB6F9285F87D6272F369EE19C7904414890C822FDFB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353681Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.175{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 10341000x8000000000000000353680Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:19.167{6820D070-4ADF-6323-2A00-000000007502}26163344C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(000000001AE3A190) 22542200x8000000000000000353679Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:17.064{6820D070-5007-6323-8301-000000007502}7036www.theonionrouter.com0::ffff:10.0.1.16;C:\Temp\agent_tesla-deob.exe 354300x8000000000000000353678Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:16.395{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63649-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192280Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:20.903{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192279Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:20.887{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA1070E2F5757E7B605B23DCC543D73,SHA256=1304BD5691BE141BED0C464A037F9E410F57F911CC7E2003397059158E91B624,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353715Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:20.696{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\WindowsCodecs.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft Windows Codecs LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationWindowsCodecsMD5=7294744A8618ADCFB97F6CC9B06781BF,SHA256=9CBA204AECE064C4E8AA5C1E8D7C17EA054A47B315D8CEEFA1C206395E5E32D7,IMPHASH=5CB0004DB7090241A0C06F1853D02144trueMicrosoft WindowsValid 734700x8000000000000000353714Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:20.634{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.14393.5127_none_f67513fcf253b94f\GdiPlus.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft GDI+Microsoft® Windows® Operating SystemMicrosoft CorporationgdiplusMD5=6EDB43C233D76CB312D42C21716962E5,SHA256=19DD51B9B6B8371291C41DFD76B69995953A062A1701EEF302CE44C68599171A,IMPHASH=7693D57C38FF80D4013B00CECB7C64E3trueMicrosoft WindowsValid 734700x8000000000000000353713Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:20.634{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\msctf.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)MSCTF Server DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationMSCTF.DLLMD5=AC951CC1306C73767A05F04BFC916CD8,SHA256=5FE28B70168433EF1C6DDE3CB1BE43A1A614508C37BC9C32F2051E5BA341C6C3,IMPHASH=EF37C47ACC74D5DC3737EEE137193A8DtrueMicrosoft WindowsValid 734700x8000000000000000353712Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:20.333{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationAccessibility.dllMD5=B2E013306A84513CA912FF6DE4F53C4F,SHA256=AB56D0A7507FBBB187D165BAA5046F210D14D18FCDBCFE494EF7794843917F97,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353711Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:20.333{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationAccessibility.dllMD5=B2E013306A84513CA912FF6DE4F53C4F,SHA256=AB56D0A7507FBBB187D165BAA5046F210D14D18FCDBCFE494EF7794843917F97,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353710Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:20.333{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\Accessibility\2.0.0.0__b03f5f7f11d50a3a\Accessibility.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationAccessibility.dllMD5=B2E013306A84513CA912FF6DE4F53C4F,SHA256=AB56D0A7507FBBB187D165BAA5046F210D14D18FCDBCFE494EF7794843917F97,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353709Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:20.333{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\SysWOW64\dwmapi.dll10.0.14393.4169 (rs1_release.210107-1130)Microsoft Desktop Window Manager APIMicrosoft® Windows® Operating SystemMicrosoft Corporationdwmapi.dllMD5=F6B687A32ABAE8BE3B02C122B58D952F,SHA256=DF763BDC4348BBEA93375263BF88E0BCD1267C58FC0F6E994F6D778D302DDE85,IMPHASH=60EA58ED63BD25EC1709F72F112B0086trueMicrosoft WindowsValid 734700x8000000000000000353708Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:20.296{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=10E731CD4FE19798054F2D564012364F,SHA256=F23C4888571741A8528631F72F21F061F936626F11CC43FB851DC1A2D73B2E9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353707Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:20.296{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=10E731CD4FE19798054F2D564012364F,SHA256=F23C4888571741A8528631F72F21F061F936626F11CC43FB851DC1A2D73B2E9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 734700x8000000000000000353706Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:20.296{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Windows\assembly\GAC_MSIL\System.Drawing\2.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll2.0.50727.8745 (WinRel.050727-8700).NET FrameworkMicrosoft® .NET FrameworkMicrosoft CorporationSystem.Drawing.dllMD5=10E731CD4FE19798054F2D564012364F,SHA256=F23C4888571741A8528631F72F21F061F936626F11CC43FB851DC1A2D73B2E9B,IMPHASH=DAE02F32A21E03CE65412F6E56942DAAtrueMicrosoft WindowsValid 23542300x8000000000000000353705Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:20.249{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1894387FD0094ECA9B4EB389948A9E,SHA256=829D9212C4C6AC0731E62A11602AA828E8A325C9F5D86971188854F7A7C3EC60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192278Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:17.451{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49956-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192281Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:21.981{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C956B7997FB4293C3C26D597894F57F,SHA256=F95E723316B65ECC9364D0FC9271E0A9234A7C15BADFD55C2C40C9139AFA138C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000353730Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.926{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353729Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.925{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353728Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.922{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353727Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.920{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353726Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.918{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353725Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.915{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 11241100x8000000000000000353724Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.815{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 734700x8000000000000000353723Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.633{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000353722Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.633{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000353721Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.633{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000353720Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.629{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000353719Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.629{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000353718Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.629{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000353717Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.628{6820D070-4AD1-6323-0C00-000000007502}828860C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000353716Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:21.283{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C19E3B192FCD871D2D7EB2893A3C5E,SHA256=2430BE3384B87DDB22BED5EA506D32C64D7CBCA8D04C78A0030922E48BB459E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192282Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:20.121{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49957-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000353762Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.607{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353761Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.606{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353760Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.606{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353759Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.592{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353758Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.590{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353757Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.588{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353756Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.583{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353755Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.581{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353754Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.578{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353753Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.571{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353752Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.570{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353751Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.566{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353750Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.564{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353749Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.560{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353748Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.553{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353747Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.536{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353746Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.529{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353745Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.520{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353744Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.473{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353743Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.466{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353742Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.458{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353741Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.454{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353740Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.453{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353739Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.451{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353738Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.449{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353737Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.446{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353736Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.444{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353735Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.441{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353734Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.440{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353733Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.436{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000353732Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.434{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000353731Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.367{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6335806C023EF961BE935E53B20AB9C2,SHA256=C9485A9B9EECD9E4D78BE42C7108064BD2C7F81C0DBA1425683C2B8F91F75C79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192288Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:23.980{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192287Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:23.970{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192286Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:23.963{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192285Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:23.951{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192284Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:23.946{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 23542300x8000000000000000192283Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:23.067{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4CF775C4F65E9E6871DC963EF195D1C,SHA256=8FDEBF3C1821CCC4AB18AF78C30CE60407F743A95E501CAE321A6A475F71D7C0,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353814Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.619{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000353813Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.619{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000353812Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.619{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000353811Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.452{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000353810Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.452{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000353809Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.452{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000353808Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.452{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000353807Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.452{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000353806Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.452{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000353805Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.452{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000353804Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.452{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000353803Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000353802Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000353801Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000353800Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000353799Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000353798Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000353797Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000353796Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000353795Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000353794Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000353793Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353792Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000353791Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000353790Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000353789Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000353788Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000353787Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000353786Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000353785Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000353784Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000353783Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000353782Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000353781Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000353780Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000353779Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000353778Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000353777Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000353776Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000353775Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353774Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000353773Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000353772Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000353771Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353770Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000353769Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353768Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353767Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353766Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000353765Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.437{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000353764Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.438{6820D070-5013-6323-8401-000000007502}9228C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000353763Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.435{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B5BA6D7D7DE76AACB5F76E839695F53,SHA256=E7EC506D55F931FF738074B66F897756CC13C29DF0A7FC2FA1DF9B1E866F735B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192320Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.250{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99582CA9563DD0C6266C378395129C5E,SHA256=5C9ECFE0A40CA6DCBD68BE4F73A81FE188D0584E298C254A09E3DE2521833F7A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192319Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.211{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192318Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.203{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192317Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.189{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192316Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.185{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192315Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.178{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192314Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.174{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192313Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.173{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192312Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.171{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192311Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.164{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192310Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.162{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192309Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.159{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192308Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.159{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192307Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.157{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192306Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.156{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192305Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.155{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192304Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.154{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192303Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.151{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 354300x8000000000000000353927Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:22.303{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63657-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 734700x8000000000000000353926Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.837{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000353925Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.822{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000353924Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.822{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000353923Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.671{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000353922Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.670{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000353921Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.670{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000353920Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.669{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000353919Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.665{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000353918Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.665{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000353917Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.665{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000353916Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.665{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000353915Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sspicli.dll10.0.14393.5006 (rs1_release.220301-1704)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsspicli.dllMD5=F0258C58C8DC45AF9B5AAF9BA49E0C53,SHA256=8E1EAA39742CC0E97D615229E9C13C8447B8D115B4678A1F03BE3E8E20345521,IMPHASH=4B1C9487A6420C18F688F0EC5BEB6F33trueMicrosoft WindowsValid 734700x8000000000000000353914Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000353913Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000353912Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000353911Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000353910Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000353909Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000353908Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000353907Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000353906Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000353905Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000353904Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000353903Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000353902Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000353901Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000353900Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000353899Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000353898Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353897Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000353896Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000353895Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\nsi.dll10.0.14393.3297 (rs1_release_1.191001-1045)NSI User-mode interface DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationnsi.dllMD5=994E2A6D2A0B38E0968B3998E42033AC,SHA256=491F2D1DE09C39B324BCF5800198AC7CCE755F4023F1FEB3854D33716461BC27,IMPHASH=B01B7830101BC0D5FBDE4FFE2B170CF7trueMicrosoft WindowsValid 734700x8000000000000000353894Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000353893Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000353892Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000353891Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\dnsapi.dll10.0.14393.4350 (rs1_release.210407-2154)DNS Client API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationdnsapiMD5=D7651F99299B13D576A72643BFC44944,SHA256=589302E630C473DBDF4CE92C59F00B029FCA0C228E7111A764166E16025FA1A9,IMPHASH=3C043C6FF0F62DAEB8819606F79C5ECCtrueMicrosoft WindowsValid 734700x8000000000000000353890Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000353889Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\IPHLPAPI.DLL10.0.14393.2339 (rs1_release_inmarket.180611-1502)IP Helper APIMicrosoft® Windows® Operating SystemMicrosoft Corporationiphlpapi.dllMD5=3CD38EDF9CA12F91131EDEE32D1C9DF5,SHA256=AF2440640BF8BDEAAF0DECDD7C354158E415ED0AA340ABA7A6CCCDC09C1E728B,IMPHASH=98738BA55485CCA932F6D222F47FFC55trueMicrosoft WindowsValid 734700x8000000000000000353888Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000353887Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000353886Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000353885Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000353884Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 10341000x8000000000000000353883Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353882Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000353881Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000353880Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353879Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exeMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52trueSplunk, Inc.Valid 10341000x8000000000000000353878Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353877Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353876Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353875Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353874Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000353873Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000353872Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.641{6820D070-5014-6323-8601-000000007502}9384C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000353871Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.639{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F49495D3FE6AB1D7D39DD4F7134E323,SHA256=A04C2D570491111653ADF27217127A09C96490FE8B793A17CF88AD5C694C32D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353870Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.554{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F8B0EAB9ABC9AD8E8C9D95E8D5DED77,SHA256=8131EB09DDD0F0D503C4B400E7058FAE8F6C0B9DA4CB14300BB26481BDF45EF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353869Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.554{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=811316D0493BDB2BE6370D7BFEA718AA,SHA256=29C2F07C4E9060BC53DB19CF9DC86C1EA32BEAF3802000DDFEE1712DFCB75FB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353868Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.536{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=036CB2A3640673CE53E4B1C330D93BA0,SHA256=A1529BB7C257434A0ADC486C4CE614D8AFD888207D42F75DA4744262DF8DBA6E,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353867Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.307{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000353866Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.307{6820D070-5014-6323-8501-000000007502}93729400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353865Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.298{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000353864Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.297{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000353863Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.132{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000353862Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.132{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000353861Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.120{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000353860Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.120{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000353859Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.120{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000353858Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.120{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000353857Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.120{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000353856Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.120{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000353855Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000353854Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000353853Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000353852Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000353851Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000353850Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000353849Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000353848Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353847Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000353846Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000353845Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000353844Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000353843Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000353842Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000353841Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000353840Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000353839Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000353838Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000353837Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000353836Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000353835Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000353834Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000353833Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000353832Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000353831Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000353830Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000353829Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\secur32.dll10.0.14393.2273 (rs1_release_1.180427-1811)Security Support Provider InterfaceMicrosoft® Windows® Operating SystemMicrosoft Corporationsecur32.dllMD5=BCF1B2F76F8A3A3E9E8F4D4322954651,SHA256=46B327CD50E728CBC22BD80F39DCEF2789AB780C77B6D285EEB90126B06EEEB5,IMPHASH=0D8FF9DE2DA5C07D680347B1A098E759trueMicrosoft WindowsValid 734700x8000000000000000353828Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000353827Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353826Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000353825Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000353824Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353823Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exeMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778trueSplunk, Inc.Valid 10341000x8000000000000000353822Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353821Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192302Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.145{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192301Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.139{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192300Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.136{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192299Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.131{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192298Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.124{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192297Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.096{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192296Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.093{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192295Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.084{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192294Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.058{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192293Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.046{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192292Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.039{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192291Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.031{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192290Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.009{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000192289Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:24.001{E743DC12-4AD0-6323-1D00-000000007602}19442872C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C80A90) 10341000x8000000000000000353820Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353819Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353818Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000353817Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.100{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000353816Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.101{6820D070-5014-6323-8501-000000007502}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000353815Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:24.000{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353991Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000353990Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353989Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000353988Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353987Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353986Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353985Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353984Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000353983Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000353982Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000353981Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.740{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55F5042E5305EC4AC9E4B61B9460A00,SHA256=79A40D677B19095CE978431F4CE105E2304979339C653344586A9C7A06B010E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000353980Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.721{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=979AA943E410FBECB0C2CA6EEDC306E0,SHA256=FC435436A838AB16DD0A669CB59DAFC9DD3FC9C8EF9307E8FE1E0D3463B68895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192321Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:25.223{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6746DFD5494B74963BBD6381D17A655E,SHA256=76D2BA43D5B1447A2CB33A57D31AFA6229F659666C14F2E470272B6816725389,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000353979Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.521{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000353978Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.520{6820D070-5015-6323-8701-000000007502}92608240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353977Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.520{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000353976Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.519{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000353975Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.345{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000353974Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.344{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000353973Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.342{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000353972Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.341{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000353971Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.337{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000353970Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.337{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000353969Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.336{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000353968Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.335{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000353967Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.327{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000353966Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.325{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000353965Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.325{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000353964Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.325{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000353963Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.324{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000353962Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.322{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000353961Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.322{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000353960Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.322{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000353959Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.322{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000353958Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.322{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000353957Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.322{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000353956Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.322{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000353955Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.322{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000353954Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.322{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000353953Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.322{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000353952Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.321{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000353951Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.321{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000353950Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.321{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000353949Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.321{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000353948Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.321{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000353947Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.321{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000353946Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.321{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000353945Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.321{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000353944Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.320{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000353943Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.320{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000353942Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.320{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000353941Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.320{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000353940Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.319{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353939Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.318{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000353938Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.318{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000353937Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.317{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 10341000x8000000000000000353936Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.317{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353935Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.317{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----MD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9trueSplunk, Inc.Valid 10341000x8000000000000000353934Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.317{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353933Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.317{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353932Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.317{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000353931Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.317{6820D070-4ACF-6323-0500-000000007502}404520C:\Windows\system32\csrss.exe{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000353930Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.316{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000353929Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.316{6820D070-5015-6323-8701-000000007502}9260C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x8000000000000000353928Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.055{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000354086Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.942{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=1023897BCAAD4600F595CF9A7FBCE622,SHA256=FA38A4B3B4C8A1E0BA8B45A30EEC1BDE0259EE34AD413ABAA3CCEF9DC0DB35AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354085Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.857{6820D070-5016-6323-8901-000000007502}94929500C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000354084Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.857{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000354083Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.857{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000354082Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.842{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3C7510AD17809550A8266D9D514139,SHA256=2ABF17ECD4AD1D1A7584E100230DDA6781F10B4DC822F730346BD9B32F1B7436,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192323Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:23.443{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49958-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192322Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:26.323{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D7CBCE2C5A0BC3C3E87C50BB7957EC,SHA256=61C5883B45760A6F4831A33F81612CE24563AA7C5551F84EB990E5EB52408F05,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000354081Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.672{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000354080Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.672{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000354079Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.672{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000354078Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.672{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000354077Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.672{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000354076Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.672{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000354075Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.672{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000354074Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.672{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000354073Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.672{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000354072Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000354071Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000354070Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000354069Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000354068Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000354067Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000354066Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000354065Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000354064Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000354063Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000354062Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000354061Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000354060Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000354059Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000354058Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000354057Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000354056Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000354055Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000354054Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000354053Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000354052Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000354051Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000354050Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000354049Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000354048Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000354047Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000354046Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000354045Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000354044Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000354043Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000354042Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000354041Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exeMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2trueSplunk, Inc.Valid 10341000x8000000000000000354040Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354039Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354038Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354037Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354036Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354035Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.657{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354034Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.660{6820D070-5016-6323-8901-000000007502}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 734700x8000000000000000354033Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.173{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 10341000x8000000000000000354032Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.173{6820D070-5015-6323-8801-000000007502}88648736C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000354031Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.173{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000354030Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.173{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000354029Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.023{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000354028Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.022{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000354027Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.022{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000354026Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.020{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000354025Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.003{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000354024Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.003{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000354023Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.003{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000354022Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.003{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000354021Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.003{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000354020Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.003{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000354019Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.003{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000354018Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.003{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000354017Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.003{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000354016Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.003{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000354015Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.003{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000354014Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000354013Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000354012Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000354011Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000354010Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000354009Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000354008Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000354007Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000354006Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000354005Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000354004Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000354003Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000354002Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000354001Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000354000Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000353999Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 354300x8000000000000000353998Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:23.170{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63659-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 734700x8000000000000000353997Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000353996Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000353995Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000353994Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 10341000x8000000000000000353993Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000353992Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.988{6820D070-5015-6323-8801-000000007502}8864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 23542300x8000000000000000192324Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:27.417{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40D03AC3F4AEF6FA45A04629F90D0760,SHA256=F1B824B8028F841263F87D1FD2D7D6657D24FB9706272D70B5E6DD4C7D95B002,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354138Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.569{6820D070-4ACF-6323-0B00-000000007502}620668C:\Windows\system32\lsass.exe{6820D070-4AB3-6323-0100-000000007502}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+97fa2|C:\Windows\system32\kerberos.DLL+7a1d8|C:\Windows\system32\kerberos.DLL+1457f|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+2e0b6|C:\Windows\system32\lsasrv.dll+33a29|C:\Windows\system32\lsasrv.dll+31377|C:\Windows\system32\lsasrv.dll+302b1|C:\Windows\system32\lsasrv.dll+17ced|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e 734700x8000000000000000354137Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.375{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000354136Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.359{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000354135Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.359{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 734700x8000000000000000354134Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.191{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000354133Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.191{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000354132Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.191{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000354131Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.191{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000354130Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.191{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000354129Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.191{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000354128Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.191{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000354127Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.191{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000354126Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.191{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000354125Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.191{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000354124Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.190{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000354123Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.190{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000354122Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.190{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000354121Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.190{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\winspool.drv10.0.14393.5192 (rs1_release.220610-1622)Windows Spooler DriverMicrosoft® Windows® Operating SystemMicrosoft Corporationwinspool.drvMD5=B35177BAFC97AEAE651855029064EFD9,SHA256=126CD0C2A881ECB0872E53799662495FB0B763BB94FB3F32E4C67BB1618C9891,IMPHASH=05E3BE6B6949EB358D57BA04AF2EF75AtrueMicrosoft WindowsValid 734700x8000000000000000354120Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000354119Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000354118Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000354117Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000354116Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000354115Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000354114Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000354113Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000354112Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000354111Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000354110Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000354109Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000354108Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000354107Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000354106Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000354105Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000354104Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000354103Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 734700x8000000000000000354102Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000354101Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000354100Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000354099Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 10341000x8000000000000000354098Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000354097Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000354096Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000354095Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000354094Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exeMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9trueSplunk, Inc.Valid 10341000x8000000000000000354093Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354092Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354091Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-4ACF-6323-0500-000000007502}404420C:\Windows\system32\csrss.exe{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354090Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354089Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354088Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.174{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354087Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:27.175{6820D070-5017-6323-8A01-000000007502}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192325Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:28.523{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EEF1396D78934CBE09A969F3A08A8EB,SHA256=99A2EA01A7CA2E0A92AC73AD9D014C7FA9A0143C9958BDB625E7EC0D25B56186,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354144Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:28.394{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000354143Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:28.276{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0247B40132ECEEB7FCF0D97605C04A54,SHA256=A3CC7D847E5197E76A11BD03D02EAB1460B30CF158BAF88BEFBAA03BD6316856,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354142Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.908{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63068- 354300x8000000000000000354141Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.908{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63068-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local53domain 354300x8000000000000000354140Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.890{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63665-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 354300x8000000000000000354139Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.890{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local63665-true0:0:0:0:0:0:0:1win-dc-ctus-attack-range-403.attackrange.local389ldap 23542300x8000000000000000192326Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:29.618{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=313EA68B8BF2767FC6E818E8EFF7D1AE,SHA256=9A8A47C2974C1392CBC8BCF3530A072010B4B1665516ADE463E5BC9041FADB40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354150Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:29.095{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28B93302857DA0C4B9C5152805CA2F34,SHA256=BF25511667D44FE2ECA212ADCAE17F1A0D342A2B47D19A26A74301ADF9A5159F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354149Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.754{6820D070-4AB3-6323-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63668-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000354148Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:26.754{6820D070-4AB3-6323-0100-000000007502}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63668-false10.0.1.14win-dc-ctus-attack-range-403.attackrange.local445microsoft-ds 354300x8000000000000000354147Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.911{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruea00:10e:0:0:c8f0:65f5:8cc8:ffff-55328-truee000:fc:2202:0:0:2cd8:fa7f:0-5355llmnr 354300x8000000000000000354146Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:25.911{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruetruefe80:0:0:0:2135:d7af:67a3:9d8dwin-dc-ctus-attack-range-403.attackrange.local55328-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x8000000000000000354145Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:29.064{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=800A332ED3C24617CEE8C73BA5B10F51,SHA256=9D95E1F4F9B83A38DF87D6184103D213B497D2DB651426C58D024AC731468144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192327Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:30.714{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6011D5E3D495251EDC64ABA8B1D44DB3,SHA256=4D6CF5D893CE3F88F1E676377E486E94C5ED2C556C6D7F4AE93481D225C60D35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354151Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:30.165{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E58147B927CA73693AD83DCB946A25E,SHA256=CC2D91C1E054EF419C8385948F7FE64A43153DD843475FA2D90BC4F492D42C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192328Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:31.814{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B5BED20DCD6F14F7824CA0900AB1E04,SHA256=5D5277B5D2074E54ABA93BC0FD924A0BE03B506BF0B3F9F5194E6E38727E2B18,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354154Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:31.732{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000354153Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:31.233{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A099922B2CCAC538F8620A7BAF230F6E,SHA256=5B2ACAF78424CF631DC08BE8445862B17813F9B3ABE3B303081731F36686C128,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354152Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:28.332{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63672-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192331Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:32.918{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=075C07FF64687D549CFD0426282265EC,SHA256=E9AC5372B35C1BBF80E4EBB3024A85CF0069C0D05734DC3CEA9CDF78898921E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354155Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:32.184{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC7FD70CC4479BB3D94030DC8A8ADB46,SHA256=2AB30A1E76042C1BB3EDF49D254E18DB5F3E5602749A609A86D9504BEAC033FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192330Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:29.446{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49959-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192329Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:32.160{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\respondent-20220915155459-021MD5=36EB26F9EED14D2A649109B5B0D3FC1A,SHA256=D5225DBB467937E991D5678F78067E4612BF477D9EC2143F1C43E71004CE921E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354156Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:33.253{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A3BE0573F8ACE79A3E0D79D33B64F8C,SHA256=811A9288C3F92653A2CF570D9370B58086E4B08F5337F5C4A7DDBC436024AB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192332Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:33.169{E743DC12-4AD0-6323-1C00-000000007602}1924NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0f12d5aa9a0d8ed86\channels\health\surveyor-20220915155457-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192333Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:34.132{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFD1CC245EE22827860892EF4C833AB,SHA256=57543EBE9BCDA763DC9AA2F86ACCED8679F211EEC40BBA3B8660293C77A85680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354157Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:34.302{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CE1A6750E3742168692A0A9C9CD8DC1,SHA256=FB14D6B3D9178C07896918649F59116D5DA23334867C1682FFDC5003370D4FD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192334Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:35.226{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D0B2E5144421D69208B040317FD42C1,SHA256=40011209CB731A346726652B9EF1A9674BAD5544D7B0CCA04131E1325818393A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354159Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:35.356{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121308EAE3E5879FF4D17FACA9BBDA26,SHA256=CC884369CF5784374CFBF1E1BCC39D494A666EEC079D000C9667676F77EF2360,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354158Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:35.038{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 354300x8000000000000000192336Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:34.459{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49960-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192335Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:36.426{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAC4DDAE23EC4BB0E8C1AB7AB8FE2CE,SHA256=59D330AB4107AF82896C41202298CCB42B9D86F62E8991821A2CD03AA509934E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354161Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:36.458{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C73B1C14792195AE9FD86EC5CE80E113,SHA256=FEBA244B6251D37DC1600580FF7F410CA651D60802D7E31A7C93148B2E0FE2E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354160Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:33.421{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63682-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192337Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:37.513{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ED254DB50AA8310BDA5420FD6F48273,SHA256=AA1C58681949C2EEE5542CBBA87B7B2A28DFE739C9061118476DACD7E23AD088,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354162Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:37.523{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1D4EB440BD339A55ABAC1584B1A6E70,SHA256=6A12ED4CF17D80A15E267AA07888AE6167A756DCDCC7F880C34792948871835F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192338Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:38.603{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A95D95255514C37270100E70036B23,SHA256=0CD96C571BA5A4431A197651D110A92266DCA8986C7C421CC54898C182AA2BF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354164Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:38.664{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC244F763FD776F4BE6CE412EB10CE2F,SHA256=454CAA679C96E4AEC18833DD20E6079779C23F96033837510A15B0813A673A42,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354163Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:38.379{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000192339Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:39.802{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68A331CB2A27461699187EB953DC6786,SHA256=3293A3451FBF5A9BDA3689150B4D3C2F701527554A49B921B954A80657898991,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354190Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.785{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354189Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.784{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354188Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.779{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000354187Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.743{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86728F930B34BA7D38698ED0DA1FF181,SHA256=F8BAE7733EE908B16873C4451952019B6CD8AC238C70FFC7A8EA7648B5B4794B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354186Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.434{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=34128F2DEF262193A0F81AFA05FA0877,SHA256=564074F800BE8752E7BC2DD9A9941E8A859A398194FD0DB1B0A147A07AB210E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354185Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.365{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354184Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.358{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354183Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.352{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354182Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.343{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354181Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.337{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354180Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.334{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354179Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.332{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354178Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.330{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354177Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.318{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354176Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.295{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354175Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.290{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354174Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.284{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354173Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.275{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354172Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.268{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354171Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.255{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354170Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.244{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354169Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.231{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354168Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.211{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354167Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.204{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354166Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.159{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354165Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.156{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000354192Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:40.800{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F7B8DD45593CE30BFC78F50134F3EF,SHA256=6CFB8E35FC8E8D7E0E5C635847874EE62D23B6BCD1438FED50A1A635AC01FDA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354191Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:40.216{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=0179BD200D943E07A9362A15D69F996B,SHA256=69C551B5B6330320828643F5E61D81312AC77D2EE90A26286987BE4F08CDBDBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354200Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:41.851{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B50457A5C3CDB8C76DAEBF655A9DBCC4,SHA256=E07BE549725806928F5A554A3A0405ECBA63E90BC88AEA51E686F80E3E693443,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354199Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:41.811{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354198Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:41.810{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354197Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:41.807{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354196Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:41.805{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354195Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:41.803{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 23542300x8000000000000000192340Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:41.014{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C2C27FABEEFE526D640DE1708611F72,SHA256=9B02995C7ED20DA1A2F735704977CC8C3D069FFADACE560DE1D0D432455C9261,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354194Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:41.800{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 11241100x8000000000000000354193Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:41.668{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 354300x8000000000000000192343Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:40.448{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49961-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192342Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:42.112{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=634577D0933AAA75C07BDAA83D8507A4,SHA256=2D0A6461ADF99857A145F260358CA4AE964E00F5E18FA8CFA8E869C89C421848,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354233Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.482{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354232Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.481{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354231Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.481{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354230Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.466{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354229Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.464{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354228Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.461{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354227Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.459{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354226Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.456{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354225Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.453{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354224Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.449{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354223Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.448{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354222Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.445{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354221Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.442{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354220Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.441{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354219Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.430{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354218Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.406{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354217Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.399{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354216Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.390{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354215Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.356{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354214Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.348{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354213Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.340{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354212Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.335{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354211Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.333{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354210Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.331{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354209Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.329{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354208Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.327{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354207Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.325{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354206Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.321{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354205Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.320{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354204Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.318{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 10341000x8000000000000000354203Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.317{6820D070-4ADF-6323-2A00-000000007502}26163232C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000012C38610) 354300x8000000000000000354202Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:39.330{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63693-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000354201Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:42.085{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192341Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:42.096{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=4B7BC684E38C4D7AA1D4BE376EF3C34C,SHA256=A5BD8DCD1981E40183EE5B9B2E4C1112109CBB568EE9C620FD3ECD5CECAE7259,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192354Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:43.998{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192353Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:43.989{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192352Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:43.982{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192351Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:43.973{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192350Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:43.968{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192349Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:43.962{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192348Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:43.955{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192347Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:43.949{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192346Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:43.943{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192345Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:43.941{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000192344Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:43.212{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CCF8D87D0DF7E3378CEF87B47521FF,SHA256=4C005F33655514EA537818993ABCD15D4CBD41A9510D3832B6820C5E2BD3FA20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354236Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:43.635{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354235Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:43.635{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354234Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:43.151{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440A9A9B0803128539B67651EB3F92BF,SHA256=44E112B7BDD21A6F285A3A6B0E922FEA740967E97D244C04F673BD80E93E797D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192381Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.769{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B73CD4C5A4FDF6CC11AA33882DE4E3EA,SHA256=FD985088BC1E113E1A70843A3F2BE39159C7012243BEE289BF48D06288E63786,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354238Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:44.975{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000354237Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:44.273{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D80A5CC708E08819630519C448D8426,SHA256=DB1237838F2278B22ADC36B9D0094C97F6549322B470B9D512AEF1AD44D32128,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192380Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.128{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192379Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.118{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192378Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.104{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192377Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.099{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192376Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.093{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192375Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.089{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192374Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.087{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192373Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.084{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192372Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.083{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192371Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.080{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192370Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.077{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192369Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.077{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192368Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.075{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192367Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.074{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192366Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.073{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192365Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.072{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192364Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.068{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192363Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.064{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192362Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.062{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192361Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.060{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192360Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.053{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192359Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.048{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192358Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.036{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192357Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.035{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192356Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.028{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 10341000x8000000000000000192355Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:44.005{E743DC12-4AD0-6323-1D00-000000007602}19442036C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(0000000013100190) 23542300x8000000000000000192382Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:45.849{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DA77F4940CA450F9DBFB05A98BE3EA2,SHA256=FFFF803DC326186D6F20ED9673D6E1611AC560436FDEA4551232EEED3E03606A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354240Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:45.357{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE1FB0CBDE7ECBAD523D7A071D8D2B6E,SHA256=E41080CD3B008C9EBD161BD708B61836D051AC67FDDB6CE44F6CC45B81DBD859,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354239Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:45.239{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=93111DC4DE9892378415E9E52F32B4DB,SHA256=29930FB2FE813ED6984C5B10B22E6BD5822E56753B8D4FE5F008439EFFE5A739,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354242Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:46.895{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\respondent-20220915155514-021MD5=3EE9864ACDFFE78A8B2E0DEDF704C720,SHA256=3E9075B80C33CFA58EAF977E4450D367AD693E429428DFB55B91DE7FD240E49F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354241Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:46.425{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1F887214A5FDA4F55BAB5346BD41A09,SHA256=2D4B507E23EF7D032FD2E38F6770EFC601DF22CE959EAA7EAEF97740DEDE0F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354245Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:47.894{6820D070-4ADF-6323-2900-000000007502}2576NT AUTHORITY\SYSTEMC:\Program Files\Amazon\SSM\amazon-ssm-agent.exeC:\ProgramData\Amazon\SSM\InstanceData\i-0c9d0585484de52cc\channels\health\surveyor-20220915155511-022MD5=97EF2A570B75C4F95FC69B0D09A2E2A2,SHA256=11396EA313B0ED7E3228C4FA92ABE9D836DB8F416A7A8A28ACC77133025082E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354244Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:47.441{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1682B784F1063DDF9A105CF4AC71F5,SHA256=46EC1ABA324B9B3E071A6439B2C5C086A095DE4B544A222B6F7659FC06F6B044,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192383Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:47.060{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48E93E9DDF2FC6BF4BFE9562A2E2CEA7,SHA256=73AD8D1DC38E03E7E59C89622C5505D83D720856CD0A41899764D9D69B60B297,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354243Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:44.375{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63704-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 354300x8000000000000000192385Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:46.355{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49962-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192384Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:48.386{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=360308C94C2D717B0FA1530EA98C8EDF,SHA256=0209A8B3166199E342A614D00F3EB7C9179D6DFBD83F0F40053DFF668AC8E3C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354247Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:48.543{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCCB9ADB66825EF1B9E10F9E679E227,SHA256=52DAE75E3E4202E292D335594E40480B6CCF43C1F9C1C94207CE52F0CD494B87,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354246Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:48.327{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000192386Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:49.493{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28638CD2A17DB8396EA57E9E7E43FAE,SHA256=6CDD6233D5A7E9E9EEB303AC645F743768F84B60FD936B8DE02B6049453F1162,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354248Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:49.613{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA4D855162678537D16848A218337E5B,SHA256=2A536FD0A5326E30414E3D91BA29B252736666AB67FF61C73EBA1DD1FCD66C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192387Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:50.575{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAE77253064F4C9E747E8861E846C5C5,SHA256=9567B1F8A16FBD17D93EC24DEA31D59D3ED61D7CCCFDE6B3428B441AD5105BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354249Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:50.667{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81DC83023905C7F4E82A51472B4FFE50,SHA256=F88125DD4DE97FB2577FE3832AC76B724995FE07C2352A806F1B0463E9864577,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192388Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:51.668{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5603E334F0ECAF4B2BBF5B79D0C02AF8,SHA256=E4C2D7959D260646A47C2B23182A3B525107153698F50E6A1E5019204536E49A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354251Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:51.767{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FFFEB6EC83B9B44B7166FE5921D102D,SHA256=D736336396B1EC0852654C122998CA7D517D8448DD2E3CF52C07B4B16B935C21,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354250Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:51.619{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000192389Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:52.765{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F954E88FDFF1EEEB5E5CC172847FE2E4,SHA256=16161772F8522B6BEF4FAFD8416358F3DA78B986354959A51074E17B130208D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354255Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:52.804{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D402BA62AD958E791803B4C5D8DD96F5,SHA256=FE3C85DE6AE926580D5B2E01910DA23240FE3D26E386A27490A7CB01A6E1E0D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354254Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:50.286{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A65051- 354300x8000000000000000354253Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:50.285{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local53domainfalse10.0.1.15WIN-HOST-CTUS-A60342- 354300x8000000000000000354252Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:49.432{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63713-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192392Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:53.851{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57C090264F1F053D1304A60B305CA47,SHA256=F54E99287616D70E391FEA29CDC2EDB462B2FF9A5E55F564D545BE4C50FA5E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354257Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:53.853{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA41721C5FF7BEA2F1B86D1761FCFEF7,SHA256=581EFFD843C7F49D27EBF0AFDA8CAC5A7C72CCED5324E09C753B9DF7C7786AA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192391Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:50.321{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal60342-false10.0.1.14-53domain 354300x8000000000000000192390Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:50.320{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c880:8b4:85e6:ffff-60342-truea00:10e:0:0:0:0:0:0-53domain 10341000x8000000000000000354256Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:53.288{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192394Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:54.940{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9312AA2ADE7B466F54BE9F9B7D3E812A,SHA256=22497E08B035ED2E9D18E62B2B3D9CEBE7A754F3BD2C910937C15956792DBA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354258Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:54.921{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261FD19803529B0E7E1C9585DE2ED8F7,SHA256=E19599C62481F9869D2EFFC7C51966D2F53F2030AC60A56D6434FADEA199F39D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192393Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:51.370{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49963-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354260Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:55.976{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10B9B0B9FC6B7CB23561C2D2B9B1A983,SHA256=0D49E12D073D645C915FB70792692076B3FEEAE5DECFE7A7C40D7C2584B7714B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354259Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:55.007{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000192395Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:56.041{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD4C0CD26E382C622377DA3568C76FB0,SHA256=5CB6F7BA20FA05A13A736EDB4A1D599A00F6605FF97DF231C65C3F512B29DA7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192397Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:57.440{E743DC12-4AD0-6323-1100-000000007602}1000NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=691631F7AA60BAF7A1162269576D824E,SHA256=EFCA4866FCDCD4B52D03ABC588A116B1CAC7EF59D2EB0B001FBA809EC8A85503,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192396Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:57.143{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77CFD9D82DF2A89019FB487B90DBF709,SHA256=4E8D11C9CBF80DC1B801F81F4D39011A8E4C71BEC4D4525559CCF49160CD834E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354263Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:55.334{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63726-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354262Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:57.103{6820D070-4ADF-6323-3200-000000007502}2936NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=FA30F1F01579A382B748B332325181D0,SHA256=C85BA6D13A68C87CF35F484F942D0F3AF4A9A7682C979E82540023F4E17779C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354261Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:57.018{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0323500CB0A5ADD2B01E44BB8E200049,SHA256=1DDAF8CDAAD964822F994D8208561376AC2538FC7DCF56F9A4F3C94A93A2EAD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192398Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:58.243{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48A4C6FEBF50E4F8639835B2E5456964,SHA256=EDF4E7F302005D06054AF97BCBD9C2F4646DB3207FF0DC04EC2F3D31E2AF9D94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354266Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:58.888{6820D070-4AD1-6323-1100-000000007502}408NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=96D638074F63159ED0A187C859C2F250,SHA256=3A5DAB830B06373D06C2C874F26BC41D9462DE647E2D4787D45DBB80380B6668,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354265Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:58.391{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000354264Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:58.081{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4892254B9F6D43A41EA38BD569BD9A9E,SHA256=2D94D2196A520EA45F2ABC22245901AC95D38702F0EF45142E5731FF36117C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192399Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:59.446{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4D92DA55CB8D15EBDA7E3BA9ABF7088,SHA256=E2BBBD24D8F5AA51BD7459DB855448BE6DE4488C1D8044976DFE45EBE563AD84,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354291Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.738{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354290Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.737{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354289Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.732{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354288Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.343{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354287Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.338{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354286Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.331{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354285Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.321{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354284Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.315{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354283Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.309{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354282Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.307{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354281Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.303{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354280Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.295{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354279Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.270{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354278Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.261{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354277Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.255{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354276Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.247{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354275Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.239{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354274Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.233{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354273Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.223{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354272Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.217{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354271Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.206{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354270Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.198{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354269Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.159{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354268Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.154{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000354267Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:17:59.124{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9886417AA955009A4CB8C0E36E564968,SHA256=E208D99749B1F05FBDDAFFF0DB8F70F6414CF466639B5D6A7864CE2ED6499125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192401Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:00.541{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E56C678D8DD4C9004F64B31E40FD8DEF,SHA256=E7BF6FD09B2C15A1732D02FD7030E1DC165CBA80F34DC2A1CCF9400A73B77E17,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354295Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:00.342{6820D070-4B7F-6323-9900-000000007502}29724976C:\Windows\Explorer.EXE{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+bdd30|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8013285BCD8)|UNKNOWN(FFFFD9E122A77E08)|UNKNOWN(FFFFD9E122A77F87)|UNKNOWN(FFFFD9E122A72611)|UNKNOWN(FFFFD9E122A73FDA)|UNKNOWN(FFFFD9E122A72296)|UNKNOWN(FFFFF80132571503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd 10341000x8000000000000000354294Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:00.342{6820D070-4B7F-6323-9900-000000007502}29724976C:\Windows\Explorer.EXE{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0f5|C:\Windows\System32\SHELL32.dll+bd811|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9824|UNKNOWN(FFFFF8013285BCD8)|UNKNOWN(FFFFD9E122A77E08)|UNKNOWN(FFFFD9E122A77F87)|UNKNOWN(FFFFD9E122A72611)|UNKNOWN(FFFFD9E122A73FDA)|UNKNOWN(FFFFD9E122A72296)|UNKNOWN(FFFFF80132571503)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+c159b|C:\Windows\System32\SHELL32.dll+5bffa|C:\Windows\System32\SHCORE.dll+33fbd|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354293Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:00.342{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RF15cb1a.TMPMD5=AE83E3D1BED7E22F099EC37882555B7F,SHA256=19C20C1DAA5B1C1F7E9A0561569A10ABB7DBF1B544D26F74C2B5990D9C688508,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354292Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:00.187{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7F9EA456034D5E203B99D2A67BD983,SHA256=671021D77190B1893AD4444128A952D50268E5AAAD193773F00C2A45F55D38C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192400Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:17:57.288{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49964-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192402Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:01.630{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1725C6FB2CA09491D8EE6EA5A4F5A81C,SHA256=04BD64596D7F53040C7200A7F27BE8AAF1382FE502544638197D93D63FBA6819,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354304Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:01.760{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354303Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:01.759{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354302Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:01.753{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354301Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:01.751{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354300Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:01.748{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354299Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:01.744{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 11241100x8000000000000000354298Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:01.595{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 10341000x8000000000000000354297Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:01.310{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354296Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:01.246{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21855C88D85EEDDA8F5F7A7B002BC099,SHA256=7297553B7D7E472B25E6CAE727C7047A1FB86D6857F50DE63AA3EB667BF765C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192403Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:02.727{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AD1F004A5FAAE6698321D84AB30332E,SHA256=341730E24E50AC35C3D105EB53BFE883E4E4E061814A26509FEAB936248157A1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354337Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:00.367{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63736-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000354336Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.423{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354335Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.422{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354334Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.422{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354333Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.409{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354332Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.406{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354331Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.404{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354330Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.401{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354329Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.399{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354328Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.396{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354327Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.393{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354326Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.391{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354325Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.387{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354324Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.384{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354323Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.383{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354322Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.375{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354321Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.357{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354320Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.349{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354319Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.340{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354318Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.312{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354317Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.307{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354316Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.299{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354315Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.296{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354314Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.295{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354313Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.291{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354312Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.288{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354311Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.286{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354310Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.284{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000354309Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.281{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6174E72D3B81359BDB5460D1B1F15407,SHA256=D1463C8D41EDAE415D9EF82A35FF935A1E92D17B62740FF740FB59C41DDE2D77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354308Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.281{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354307Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.279{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354306Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.277{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354305Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:02.277{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000192412Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:03.997{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1100-000000007602}1000C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192411Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:03.983{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1000-000000007602}940C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192410Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:03.976{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0F00-000000007602}888C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192409Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:03.962{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0E00-000000007602}880C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192408Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:03.954{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-0D00-000000007602}788C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192407Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:03.945{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0C00-000000007602}724C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192406Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:03.938{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192405Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:03.936{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ACF-6323-0900-000000007602}568C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000192404Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:03.812{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DFF9244A782514651EA7C4FDA65CBBB,SHA256=31356FB67669B778E0E14221B426A8E3EC5D7B43929C6A377A0BA94F535EE06C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354339Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:03.630{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=FA1887C93090225CBCB436B2412A7CE5,SHA256=C3654A90C74FA22851553E2AD9EFA0360DBEFDF35021FED1CF5811C2DAC6B55E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354338Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:03.345{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=129D469839242FE5AD9E6148024590D0,SHA256=1A9F182B1A33BBA5964F810D451FB026C1E0CF6D703B1EE26DC881A36A9A27C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192441Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.923{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=836CDD1F39A8B55C818749A68E5EEBA8,SHA256=D8678C908E4F21C7F6E49D71BB96F5AAE8FB38DDFA68D96580DD50409B2F2DBE,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354341Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:04.916{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000354340Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:04.363{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530FED909AB87894408CA2AFAE46A587,SHA256=4984B53C06E4AB9FE2D8BF735186D429DDEF25149241E40FAA474BC7EF09FE90,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192440Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.189{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B84-6323-9000-000000007602}4336C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192439Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.179{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B83-6323-8F00-000000007602}4236C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192438Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.163{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8E00-000000007602}3356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192437Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.157{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B82-6323-8700-000000007602}3644C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192436Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.151{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B81-6323-8400-000000007602}3052C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192435Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.146{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B80-6323-8100-000000007602}640C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192434Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.145{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B7F-6323-7F00-000000007602}1676C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192433Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.142{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4B4B-6323-7B00-000000007602}2656C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192432Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.140{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AE3-6323-6D00-000000007602}3488C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192431Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.139{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192430Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.136{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4200-000000007602}3036C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192429Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.135{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-4000-000000007602}3000C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192428Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.133{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD3-6323-3C00-000000007602}2820C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192427Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.132{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD2-6323-2B00-000000007602}2904C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192426Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.131{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2600-000000007602}2612C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192425Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.128{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2500-000000007602}2360C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192424Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.125{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192423Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.121{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192422Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.119{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-2000-000000007602}2000C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192421Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.117{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1F00-000000007602}1984C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192420Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.110{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1C00-000000007602}1924C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192419Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.102{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1900-000000007602}1780C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192418Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.073{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1700-000000007602}1228C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192417Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.072{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1600-000000007602}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192416Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.064{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1500-000000007602}1056C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192415Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.035{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192414Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.022{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1300-000000007602}872C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 10341000x8000000000000000192413Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:04.012{E743DC12-4AD0-6323-1D00-000000007602}19442844C:\Program Files\Aurora-Agent\aurora-agent.exe{E743DC12-4AD0-6323-1200-000000007602}1008C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000131803D0) 23542300x8000000000000000192443Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:05.990{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9AE1F3C59E5601C918BE412DF93432,SHA256=239FD5D35623CCE3653F3574ADF41ABD6F52CE9F2C9082C1BFF088ADCA2124F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354342Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:05.420{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C4358D0930B039D38BD337B0214FF8F,SHA256=DC9FA9EFE1823637E9F1F9D4A2047AC7FB4A45D8D218FEC9D68F41BAC77CF65F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192442Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:03.279{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49965-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354343Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:06.468{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844A23C91703DEAB132133DDBF898055,SHA256=4DA6E87CD5A25A7D9797492A4622C7E067733EC9C86BFB2E34BAFF8940C74754,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192447Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:06.308{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192446Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:06.308{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4ACF-6323-0B00-000000007602}628C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192445Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:06.308{E743DC12-4ACF-6323-0B00-000000007602}6282712C:\Windows\system32\lsass.exe{E743DC12-4AD0-6323-1400-000000007602}1048C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\lsasrv.dll+1c2ad|C:\Windows\system32\lsasrv.dll+29260|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192444Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:06.293{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-1D00-000000007602}1944C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354344Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:07.538{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7634835C9C39974CD8ACBF3215CDD728,SHA256=55C2B7B799FE2A9FF7D893A718B84E453073158891E8C19F6C4596A4C4FEB73E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192456Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:07.702{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-503F-6323-2B01-000000007602}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192455Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:07.702{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192454Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:07.702{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192453Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:07.702{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192452Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:07.702{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192451Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:07.702{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-503F-6323-2B01-000000007602}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192450Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:07.702{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-503F-6323-2B01-000000007602}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192449Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:07.703{E743DC12-503F-6323-2B01-000000007602}3756C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192448Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:07.082{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49AFBE82EE7342BB6AC3E93FA0049E59,SHA256=F42823EC15704848628F6D6147E84CF817F2A15B1380425C65127D31D4E1D492,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354346Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:08.604{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC19349CCBE28F192A422118CDAD8AF6,SHA256=F269CDE0562A46E2E7F7392E21BE7D2816A2E3DC5FA62A36BE1DFA49B1E696A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192475Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.890{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5040-6323-2D01-000000007602}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192474Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.890{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192473Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.890{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192472Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.890{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192471Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.890{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192470Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.890{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-5040-6323-2D01-000000007602}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192469Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.890{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5040-6323-2D01-000000007602}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192468Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.891{E743DC12-5040-6323-2D01-000000007602}1508C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.2.5Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=92BD3C71158FA8B9A0821D43564A56E7,SHA256=7850C91F8D08679D7A0579D350C08CA6F6EDEA8A12226ADC2E30B4ABF8CE0BE2,IMPHASH=FD2D4472615B421BAEF1D51F46EF5F52{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192467Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.735{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FD4EF4ADC13DA7406BC5F252162514E0,SHA256=3EB74EC06A61E020FCE7A6018E84C5BF75E7DAD7512D65E100E6EA4F1D671AC1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192466Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.505{E743DC12-5040-6323-2C01-000000007602}34562644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192465Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.267{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5040-6323-2C01-000000007602}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192464Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.267{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192463Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.267{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192462Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.267{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192461Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.267{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192460Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.267{E743DC12-4ACF-6323-0500-000000007602}412528C:\Windows\system32\csrss.exe{E743DC12-5040-6323-2C01-000000007602}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192459Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.267{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5040-6323-2C01-000000007602}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192458Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.269{E743DC12-5040-6323-2C01-000000007602}3456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192457Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.189{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE198733BC5764C4FCF72EA8EF31938,SHA256=A20480FCAD172FB277E13E3CA4C23295973C564F56B0443CA32BFB33B5B00C8F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354345Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:08.242{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000354348Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:09.624{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2637F410977FBB4A267CEAABB093BAD4,SHA256=71BEBB86E473524219C7ABB1430EE3D381ED7C70C168E674322CBA03D320C44F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192494Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.946{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5041-6323-2F01-000000007602}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192493Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.946{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192492Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.946{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192491Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.946{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192490Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.946{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192489Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.946{E743DC12-4ACF-6323-0500-000000007602}4121064C:\Windows\system32\csrss.exe{E743DC12-5041-6323-2F01-000000007602}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192488Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.946{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5041-6323-2F01-000000007602}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192487Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.947{E743DC12-5041-6323-2F01-000000007602}2348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=82B4C70E6AA15CE4AABB631DA73429A2,SHA256=80ECB7DFA33366FD12D6796A32E0435355F620DA83A8894D00BBAB09197A0F10,IMPHASH=1BDECF92268D3D3EF70015DDFEB0FFB9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192486Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.828{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=0B1BFA9435CF640310C8FD617DDE5CF5,SHA256=D63A2636CC7043997F7B667B26FF4A5117512A598D773C5D06D8E161D0EA6701,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192485Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.596{E743DC12-5041-6323-2E01-000000007602}37481788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+610325|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60fe56|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60943|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+60f97|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+9e7f20|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192484Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.390{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5041-6323-2E01-000000007602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192483Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.390{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192482Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.390{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192481Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.390{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192480Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.390{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192479Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.390{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-5041-6323-2E01-000000007602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192478Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.390{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5041-6323-2E01-000000007602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192477Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.391{E743DC12-5041-6323-2E01-000000007602}3748C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.2.5Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=C8BED8D054FDE4C4222F39C750539874,SHA256=765D1E768D7027343C681DF3B2F6113ED0337F7179CDAE9CF89979A8725CE490,IMPHASH=5DCBAD7446F97D73DA1DA121D8CD8778{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000192476Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:09.375{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC376EA368623606B66F48E9C4AC3C9E,SHA256=935447C37273BF0AB492B696AB40936B8616E98EDF5BA2849D73BC9E0ABBDB26,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000354347Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:06.270{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63747-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000354349Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:10.690{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B22914BDB9E44BB3EF6DFD1A5F2330,SHA256=343E7BB5E7C8A2AE9D155EDA7D37F8BD537A3ADC24FB67B10343915EE92DC6B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192506Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:10.730{E743DC12-5042-6323-3001-000000007602}21724996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae795|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6ae2c6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+643d8|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+65dfc|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+9dcf50|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192505Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:10.574{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5042-6323-3001-000000007602}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192504Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:10.574{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192503Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:10.574{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192502Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:10.574{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192501Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:10.574{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192500Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:10.574{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-5042-6323-3001-000000007602}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192499Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:10.574{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5042-6323-3001-000000007602}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192498Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:10.576{E743DC12-5042-6323-3001-000000007602}2172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.2.5Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=611F936426EC989CDC9FB43B692D3CFA,SHA256=AF94FF9B82C4BF6F27A5695E741D2BDF06A6A574924179D0BC9E7B8A725882F5,IMPHASH=A2763C4BA6D4717F662584401724A6B2{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000192497Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:08.420{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49966-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192496Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:10.461{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D2E5F55E46C11753AD4E67B40C6442A,SHA256=17FB4029DA4EEC089F27EA330F18B880A6907E06556EE13AB71A1F7C8A387F7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000192495Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:10.117{E743DC12-5041-6323-2F01-000000007602}23482884C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+606005|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+605b36|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+75996|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+9dd220|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354352Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:11.792{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA687F2940439A93EEED5630FE0EA42A,SHA256=066BBB5D8CF1DBCB38A1D7F4B2D4A5714113261B877A55EB354DDA5E8C6999E1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354351Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:11.692{6820D070-4AD1-6323-0D00-000000007502}8883304C:\Windows\system32\svchost.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3d6e2|c:\windows\system32\rpcss.dll+29a17|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000192515Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:11.556{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8255ECB43F48E98B6A16E331CA9FAEA,SHA256=04A70C148FAF86F337616BCBF4D1036EAE8EE73608DE6010885F282EBBCA15C0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354350Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:11.545{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 10341000x8000000000000000192514Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:11.190{E743DC12-4AD2-6323-2B00-000000007602}29042924C:\Windows\system32\conhost.exe{E743DC12-5043-6323-3101-000000007602}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192513Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:11.190{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192512Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:11.190{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192511Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:11.190{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192510Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:11.190{E743DC12-4ACF-6323-0C00-000000007602}724876C:\Windows\system32\svchost.exe{E743DC12-4AD0-6323-2100-000000007602}2020C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000192509Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:11.190{E743DC12-4ACF-6323-0500-000000007602}412428C:\Windows\system32\csrss.exe{E743DC12-5043-6323-3101-000000007602}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000192508Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:11.190{E743DC12-4AD1-6323-2200-000000007602}11963956C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{E743DC12-5043-6323-3101-000000007602}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000192507Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:11.191{E743DC12-5043-6323-3101-000000007602}2856C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.2.5Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{E743DC12-4ACF-6323-E703-000000000000}0x3e70SystemMD5=40AB9FBBAEDDA47FD9B0A2EC5E183B97,SHA256=8A7CB60452D38C258714CE37C2C490E78007A9E4F4F9A94B270BDBA59FA8F1AE,IMPHASH=35240A25EDE7EC5A65BF627E57E772B9{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000354353Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:12.747{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE6B7A46717421B16CDD3AF4A37BB2E,SHA256=1227446C3AB6C80F3F0D347D1F30D0F30CAA70AAD5BF47C59863D9C54A29AE2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192517Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:12.651{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4193CF72ED95803795FF37F02F91E811,SHA256=4037C78EE084A1333C4ED74E3336B2FF61E9F87EAFB9DFEC0AD67DA3E778BBE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192516Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:12.272{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\spool\splunk\tracker.logMD5=548CF7B51AB0EA4DE906CA4D7F1D4CD0,SHA256=534F0FAC610277913405DDFDA5C43D721B83AB14D69E6AED9EDA16E2E649F1F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354355Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:13.848{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B9F0A11390F964D5426108E20DCF8C8,SHA256=EDAC3A8770E595A4CBC3A962FD0B9D521788F153AB0EE15376D40B3EA7A58F54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192518Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:13.742{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F903FDBB4B493DD814540DAB8B31899,SHA256=CEB748A3B4D46529B5FE23190D0B670A72F7D39C3B06A886E5A5DBF081B2A654,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354354Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:13.648{6820D070-4D64-6323-ED00-000000007502}6140ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\qyyifi8m.default-release\datareporting\glean\db\data.safe.binMD5=2ED6099C74EF5E53DABDC1A99FD689B9,SHA256=5AEB78088F9390DDACB4FA5D72F136CCB2F2939AF5F1C39F2FE7FC4960180645,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192519Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:14.841{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0968201B456B15EF1E51FC095D268F28,SHA256=22DBE5E34CC337EB2C70822826E7C2DEAD540EB904ABD01775224F47DD951B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354358Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:14.914{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D151430DA0762A7AA2D5731137C164,SHA256=4D50E8E2DB46895E8745A2A29DEC4DB00903A7EA6EE0F3FB33F9D78E42E58493,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354357Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:14.865{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 354300x8000000000000000354356Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:11.293{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63758-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192521Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:15.940{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F87FDE481A41DB25AA5801D990E8DE3E,SHA256=9DC7AEA754C5CA2A56812FAF5278AAF4B8CB64BE8ADB4BE495717D5AA3C81177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354359Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:15.915{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CE7CE329F95DDBBC49D7FB418D7A97D,SHA256=F67E40457F9D92AF69D3C99425878D6902E4F9A02973EE38A7E0C88C40B4513A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192520Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:13.431{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49967-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 23542300x8000000000000000192522Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:17.134{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91C5F6A7C1C0F4A4C991C1E67C33D92D,SHA256=16F30A9D1649F6D8DD0E673EE75EB7E25A2A069E876C8B3D8BE8189E20E58329,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000354360Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:17.036{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=518DD828BEDC4D99778B74E0595CF24A,SHA256=CA0F70B4428CFE1091912D55CF8544AA18A6593E03F870233229338D122E9944,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192523Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:18.232{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EE2B2790BC56A81BC7EFF02197016F0,SHA256=563AE578DC2D9B79C393F7506B78CB2E07B93E7662C64F1F6C5E208C71B530BB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x8000000000000000354362Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:18.201{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000354361Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:18.153{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1E6497E632EE0A2B464A49DE11BF926,SHA256=239E9E1B5380B2684C23ED15300E5FB43D295C9F1B2BC8B7949C7F410AEF4B66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192524Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:19.325{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCE3344262D1250749287DE6C984301,SHA256=6F38998B8A671441180AA444518D2F4B6D04469561EC5E05BDDF538AE93C1F6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354388Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.842{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2E00-000000007502}2728C:\Windows\system32\dfssvc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354387Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.841{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2D00-000000007502}2720C:\Windows\System32\ismserv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354386Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.834{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 354300x8000000000000000354385Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:16.385{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-ctus-attack-range-403.attackrange.local63768-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000354384Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.399{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2B00-000000007502}2704C:\Windows\system32\dns.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354383Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.391{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2900-000000007502}2576C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354382Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.385{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2700-000000007502}2556C:\Windows\system32\DFSRs.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354381Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.372{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2600-000000007502}2544C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354380Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.364{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2500-000000007502}2460C:\Windows\System32\spoolsv.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354379Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.361{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADB-6323-2300-000000007502}2300C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354378Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.359{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD2-6323-1B00-000000007502}1512C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354377Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.354{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1700-000000007502}1348C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354376Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.336{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1600-000000007502}1292C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354375Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.311{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1500-000000007502}1220C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354374Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.305{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1400-000000007502}1160C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354373Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.298{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1300-000000007502}924C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354372Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.290{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1200-000000007502}396C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354371Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.282{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1100-000000007502}408C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354370Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.274{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-1000-000000007502}428C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354369Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.260{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0F00-000000007502}1016C:\Windows\System32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000354368Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.258{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=566F9BDA3CA158C8AFCFEF46EA211DB0,SHA256=E699543E45E76AA99687D9A0D8944391ECCE1A43973B99E73EA296313B2F57E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354367Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.247{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0E00-000000007502}988C:\Windows\system32\LogonUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354366Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.233{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0D00-000000007502}888C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354365Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.213{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AD1-6323-0C00-000000007502}828C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354364Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.171{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0B00-000000007502}620C:\Windows\system32\lsass.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354363Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:19.169{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ACF-6323-0900-000000007502}560C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000192526Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:20.911{E743DC12-4AD1-6323-2200-000000007602}1196NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=D7A0096A63E5BDCA859E1AA846F8160C,SHA256=9CEC5EA6B8D1B6EF407CEA28B691C02CBD2DF52B0778B7C7B826D5D3A86CBB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192525Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:20.420{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2420BFD822A1D9A5DC0B81E525153F21,SHA256=338E33E236A3418F7390A4CAADDC81FE63C340033AE2F50C15FF4B29DA4A89F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354429Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354428Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354427Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354426Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354425Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354424Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354423Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354422Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354421Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354420Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354419Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354418Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354417Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354416Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354415Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354414Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354413Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354412Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354411Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354410Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354409Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354408Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354407Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354406Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354405Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354404Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.356{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354403Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.355{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354402Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.355{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354401Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.355{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354400Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.355{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354399Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.355{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354398Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.355{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354397Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.355{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354396Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.355{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354395Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.355{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354394Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.355{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354393Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.355{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354392Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.355{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354391Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.354{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3b3c6|c:\windows\system32\rpcss.dll+3a20a|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354390Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.354{6820D070-4AD1-6323-0D00-000000007502}888908C:\Windows\system32\svchost.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+2dab9|c:\windows\system32\rpcss.dll+3a0e4|c:\windows\system32\rpcss.dll+2b92e|c:\windows\system32\rpcss.dll+2a843|c:\windows\system32\rpcss.dll+46118|c:\windows\system32\rpcss.dll+465c2|c:\windows\system32\rpcss.dll+48ecf|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14422|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 23542300x8000000000000000354389Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:20.212{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D76E390CA38D27F310F82E2023395B1D,SHA256=BEB4D09277C5FB0158EE9C785D262FD31E0C81CA8007F28353962BFA412ACAB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000192528Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:21.641{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113C39377E96C6009C3C11E081CD5129,SHA256=58D335EADDC180D8DB31FC76C1B27B539BED9C8050CCD39EB3A4315DDC76323E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192527Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:19.393{E743DC12-4ADC-6323-6200-000000007602}4076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49968-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8000- 10341000x8000000000000000354444Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.903{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3500-000000007502}2408C:\Windows\System32\vds.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354443Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.900{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3300-000000007502}2176C:\Windows\system32\wbem\unsecapp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354442Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.895{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354441Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.892{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3100-000000007502}2816C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354440Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.889{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-2F00-000000007502}2800C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354439Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.886{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4ADF-6323-3000-000000007502}2780C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 734700x8000000000000000354438Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.634{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\fastprox.dll10.0.14393.0 (rs1_release.160715-1616)WMI Custom MarshallerMicrosoft® Windows® Operating SystemMicrosoft Corporationfastprox.dllMD5=FBA861EF9AE6F64CA375EEA558D3149B,SHA256=E7DA765AF081635A814E769967702B4711FC64E785EBA9757FFF4590B5C65A4B,IMPHASH=BEC4D2DC6E5428E09C45B14235429DCFtrueMicrosoft WindowsValid 734700x8000000000000000354437Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.632{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemsvc.dll10.0.14393.0 (rs1_release.160715-1616)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemsvc.dllMD5=75B865AD79ECEA39F566F4EE82B8EC07,SHA256=2C87DCCB0754D5B3A6C27D56E5F2093F987B91607A30F8B80EBCF055E43A47D5,IMPHASH=C49BA5C02FD2B43AF8015BD8DB280C09trueMicrosoft WindowsValid 734700x8000000000000000354436Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.631{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wmiutils.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwmiutils.dllMD5=702319112D2F681C66B14498726FA574,SHA256=75BC4A81D38D7AF68B50B064E62C2C12D2CC40C7FDD22C805A7752F998DAE7BC,IMPHASH=56F5812B2484AA9836A89CDEBFF180F9trueMicrosoft WindowsValid 734700x8000000000000000354435Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.629{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemprox.dll10.0.14393.4169 (rs1_release.210107-1130)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemprox.dllMD5=F14B95C2CD2AC79A48069C95C724EF55,SHA256=9EF2E84DFC50B37D790FA46ABB71AB540D1860B38C8778C092233683FCBDF366,IMPHASH=C93E7CA22B07D6A204D0EDA95C47798DtrueMicrosoft WindowsValid 734700x8000000000000000354434Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.628{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbemcomn.dll10.0.14393.4530 (rs1_release.210705-0736)WMIMicrosoft® Windows® Operating SystemMicrosoft Corporationwbemcomn.dllMD5=8AAD6DC39B4736CFF6433DB1830FCFFE,SHA256=6824B185E6B10B6F177B30517654DBE04857834026B301EFCED535654106965C,IMPHASH=8514CF5DB6BF3E4E3C129FB76ABCD096trueMicrosoft WindowsValid 734700x8000000000000000354433Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.627{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exeC:\Windows\SysWOW64\wbem\wbemdisp.dll10.0.14393.0 (rs1_release.160715-1616)WMI ScriptingMicrosoft® Windows® Operating SystemMicrosoft CorporationWBEMDISP.DLLMD5=33DAA92D1E0EFA99CC43F230425FC45C,SHA256=CC918882E63705189F4A906FF37FC1CDA98C364B3BF80AA3B8C3AB3B617730EC,IMPHASH=1C111878DECF803B4FA0CD5D5C40492AtrueMicrosoft WindowsValid 10341000x8000000000000000354432Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.625{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2A00-000000007502}2616C:\Program Files\Aurora-Agent\aurora-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+406b6|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+54cfb|C:\Windows\System32\RPCRT4.dll+533da|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 11241100x8000000000000000354431Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.470{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exeC:\Users\Administrator\AppData\Roaming\Tor\tor.zip2022-09-15 16:17:18.136 23542300x8000000000000000354430Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:21.439{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F25E5072D6DD72EC0C82EE14EFA4560,SHA256=4E78624E93715213E90AE999599BE46C969F4406006A78AD21D053AC8D99ECB2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354476Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.566{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-5007-6323-8301-000000007502}7036C:\Temp\agent_tesla-deob.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354475Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.566{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7801-000000007502}10216C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354474Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.565{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4FC8-6323-7701-000000007502}8024C:\Windows\system32\cmd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354473Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.551{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4E46-6323-4401-000000007502}5176C:\Users\Administrator\Downloads\dnSpy.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354472Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.548{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3901-000000007502}9780C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354471Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.546{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3801-000000007502}9768C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354470Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.544{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DFC-6323-3701-000000007502}9760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354469Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.541{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1B01-000000007502}948C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354468Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.537{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF8-6323-1A01-000000007502}6424C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354467Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.534{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DF6-6323-1401-000000007502}6248C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354466Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.533{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4DB7-6323-0A01-000000007502}6624C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354465Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.530{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F100-000000007502}5784C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354464Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.527{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D67-6323-F000-000000007502}6028C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354463Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.525{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EF00-000000007502}5984C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354462Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.517{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D66-6323-EE00-000000007502}5852C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000354461Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.498{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2D4F4308989C5D062F2694E100ACBF,SHA256=72F57A723F0590644627E84B1863A62C2AAE2BAAB7D49CCE8485D17444375A1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000354460Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.497{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4D64-6323-ED00-000000007502}6140C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354459Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.491{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9E00-000000007502}5436C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354458Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.481{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B80-6323-9D00-000000007502}5344C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354457Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.454{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7F-6323-9900-000000007502}2972C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354456Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.449{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-9100-000000007502}4556C:\Windows\system32\svchost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354455Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.442{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7E-6323-8E00-000000007502}4492C:\Windows\System32\rdpclip.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000192530Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:22.738{E743DC12-4AE3-6323-6D00-000000007602}3488NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74DBEB4B82DEDC808F494B71CDC50544,SHA256=15B0CF0A8621E1F5418B43921413DD5B5E0400C214C31A24979B896507266932,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000192529Microsoft-Windows-Sysmon/Operationalwin-host-ctus-attack-range-102-2022-09-15 16:18:20.143{E743DC12-4AD1-6323-2200-000000007602}1196C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-ctus-attack-range-102.us-east-2.compute.internal49969-false10.0.1.12ip-10-0-1-12.us-east-2.compute.internal8089- 10341000x8000000000000000354454Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.438{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8B00-000000007502}4360C:\Windows\system32\dwm.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354453Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.436{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B7C-6323-8900-000000007502}900C:\Windows\system32\winlogon.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354452Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.435{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B64-6323-8600-000000007502}5052c:\windows\system32\inetsrv\w3wp.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354451Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.431{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4B5A-6323-8400-000000007502}4824C:\Windows\System32\msdtc.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354450Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.429{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AF2-6323-7D00-000000007502}3084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354449Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.427{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AEB-6323-7300-000000007502}2076C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354448Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.423{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4C00-000000007502}3976C:\Windows\system32\wbem\wmiprvse.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354447Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.423{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE2-6323-4700-000000007502}3772C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354446Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.420{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE1-6323-4600-000000007502}3752C:\Program Files\Amazon\SSM\ssm-agent-worker.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 10341000x8000000000000000354445Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:22.419{6820D070-4ADF-6323-2A00-000000007502}26163612C:\Program Files\Aurora-Agent\aurora-agent.exe{6820D070-4AE0-6323-3A00-000000007502}3404C:\Windows\system32\conhost.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\wow64.dll+124f4|C:\Windows\System32\wow64.dll+6e75|C:\Windows\System32\wow64cpu.dll+1d07|C:\Windows\System32\wow64.dll+1bf87|C:\Windows\System32\wow64.dll+cba0|C:\Windows\SYSTEM32\ntdll.dll+783e0|C:\Windows\SYSTEM32\ntdll.dll+77fae|C:\Windows\SYSTEM32\ntdll.dll+6ecfc(wow64)|C:\Windows\System32\KERNELBASE.dll+c6b98(wow64)|C:\Program Files\Aurora-Agent\aurora-agent.exe+69f35|UNKNOWN(00000000171B2190) 23542300x8000000000000000354529Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.773{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=092CB01A852E67C53BF0028E5AA01FF2,SHA256=39B26305F90A9AEA5E56942E1FF010097764F3303F5E70A5B105F8C3195BAEA1,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000354528Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.642{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel.appcore.dll10.0.14393.2312 (rs1_release.180607-1919)AppModel API HostMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel.appcore.dllMD5=0AF5EF8A7FEFD4B37036B71514FC20CF,SHA256=D4F178583F6F33794D42B4DB11008494E9CD9F069C2AD2CA304DA63F9B5F659C,IMPHASH=94524C03C5380F78283785F1E05E667DtrueMicrosoft WindowsValid 734700x8000000000000000354527Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.640{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbgcore.dll10.0.14321.1024 (debuggers(dbg).210127-1811)Windows Core Debugging HelpersMicrosoft® Windows® Operating SystemMicrosoftDBGCORE.DLLMD5=72E8FEC8419AB470FB737883463688FE,SHA256=1DA7D2D2D1C4E6EC17101A4997C4AA610818730D63C72C1D2084ABA3F25C5146,IMPHASH=F67CBD9561C1FEF51B817BA184E81D2EtrueMicrosoft WindowsValid 734700x8000000000000000354526Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.640{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\dbghelp.dll10.0.14321.1024 (rs1_release.160715-1616)Windows Image HelperMicrosoft® Windows® Operating SystemMicrosoftDBGHELP.DLLMD5=2C92DF5D32661FB4B81B08B72B2102A7,SHA256=BCEF4DEBDE7D8D6916EE3D3E5E63A725E03A058AABCD7DD49DF9D48B16E96D1A,IMPHASH=E7FD2920222985E31019D022BB39EFBEtrueMicrosoft WindowsValid 23542300x8000000000000000354525Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.572{6820D070-4AF2-6323-7D00-000000007502}3084NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6832690DC0B13A94527883D23FA1076,SHA256=19B9673CC983A606D04F7579658B3485F572FF78E9B847C9C3DC09867834C0D8,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000354524Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.472{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptbase.dll10.0.14393.0 (rs1_release.160715-1616)Base cryptographic API DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptbase.dllMD5=51FCB0FDEFCB9A3E4A1DC8C8673BC63C,SHA256=63A0E1A76B7ABCF56E44B548568649FFB6B5609402746D48A4DC77CCED20F5FE,IMPHASH=9E9C9DFD04CDDF2B6F1412BF096AEAF4trueMicrosoft WindowsValid 734700x8000000000000000354523Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.472{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rsaenh.dll10.0.14393.4467 (rs1_release.210604-1844)Microsoft Enhanced Cryptographic ProviderMicrosoft® Windows® Operating SystemMicrosoft Corporationrsaenh.dllMD5=28140830C342F475A597B2D54C42DFFA,SHA256=99E23D0177C6DC59AD72DEEC46CFB995828EF567F001261BC65532B6DDEAD862,IMPHASH=C918D75BDB7774C087BB6C0C9C0A7686trueMicrosoft WindowsValid 734700x8000000000000000354522Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.472{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\cryptsp.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptographic Service Provider APIMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptsp.dllMD5=9500AE4C4B639FEAEED0CC6C39F45149,SHA256=C1055D4B9A854282336A5404CA0FCB1A2EBC3417600035338C9CDFC7B8D0778C,IMPHASH=96CBD1B5C0EA88B677BA3BB5FD009869trueMicrosoft WindowsValid 734700x8000000000000000354521Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.472{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\srvcli.dll10.0.14393.5066 (rs1_release.220401-1841)Server Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationSRVCLI.DLLMD5=75E3DE473374E0BCBBD1EC60036A93EC,SHA256=23EBE577D2080D4C7532184B69E44BF640BB44084F9046A5AF364268A7BDB1EC,IMPHASH=6CC8301D560C9DC6CB13A6320F3A3B1FtrueMicrosoft WindowsValid 734700x8000000000000000354520Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.472{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcrypt.dll10.0.14393.4583 (rs1_release.210730-1850)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcrypt.dllMD5=63231EA984BC614584102A96D4F35CB4,SHA256=13C5BD283C01B0D50D8D0D99E88FC67F9234FA14A6860AB2B6EE552199FF6A74,IMPHASH=7C2E79D83754439DC7DE7882DCB4238DtrueMicrosoft WindowsValid 734700x8000000000000000354519Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.472{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\wkscli.dll10.0.14393.5066 (rs1_release.220401-1841)Workstation Service Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWKSCLI.DLLMD5=3D375474E2FE9A77D243E35954287188,SHA256=7850F11166D7CACED6F628033524ED86191AE92772000AFA677E59A664396E8C,IMPHASH=6990BA83B94C81786A84E6C44E699D03trueMicrosoft WindowsValid 734700x8000000000000000354518Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.472{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netutils.dll10.0.14393.0 (rs1_release.160715-1616)Net Win32 API Helpers DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNETUTILS.DLLMD5=504739A17F3A05531258784275A6F375,SHA256=A931C54C47B454407990241DB12BD209AC219C55F026ADDED427A9E84A409923,IMPHASH=7D1B32891B9173ED71ED6C18DEFEE578trueMicrosoft WindowsValid 734700x8000000000000000354517Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.472{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\netapi32.dll10.0.14393.5125 (rs1_release.220429-1732)Net Win32 API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationNetApi32.DLLMD5=E8FF656B90334BED915B2BC6BBE57C9A,SHA256=8BB399AD98B9D9C637D09EB48306B1E80C50BAA7D1C9811595D9042E4294173C,IMPHASH=FE007B4B6CED5075C98434207FFF87E0trueMicrosoft WindowsValid 734700x8000000000000000354516Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\msvcp140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationmsvcp140.dllMD5=BA72C2F6F465926980ADC2FB7F8B3490,SHA256=86881A7054532019291C162F0A8177980C1C2B45490F7E88543F22915D08D9FF,IMPHASH=ADF99B9EA3A1F76C33522F96772BC4DDtrueMicrosoft CorporationValid 734700x8000000000000000354515Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcp_win.dll10.0.14393.2999 (rs1_release_inmarket.190520-1518)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcp_win.dllMD5=C50C0CEFA633773AB29572E05834F1FE,SHA256=50178F23AA57B31626614C6C65DA2B6518A64FF684FFA18A0F49C4431DFCBEC5,IMPHASH=5B59892514923CABE9B70CFE22A3F59AtrueMicrosoft WindowsValid 734700x8000000000000000354514Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\oleaut32.dll10.0.14393.4402 (rs1_release.210426-1725)OLEAUT32.DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationOLEAUT32.DLLMD5=57B07BF89C63FA60A810FEDE496126CA,SHA256=080632F80FA2A387E5A55C670FFE07C927D553FDDA26F7F8B4156C0C6B20E75E,IMPHASH=8987D71C85BB2C13D3D90194331F962FtrueMicrosoft WindowsValid 734700x8000000000000000354513Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\bcryptprimitives.dll10.0.14393.4770 (rs1_release.211101-1440)Windows Cryptographic Primitives LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationbcryptprimitives.dllMD5=54417B63FB3760BC6DBC5DB1BDA4C272,SHA256=B7A8B457B252AB949C067D5FCFEFB2AE98E9115B958D2A0FC120D7B13B3E9FAD,IMPHASH=BA5C37A1CF8C2730ED1F4DA1587496A5trueMicrosoft WindowsValid 734700x8000000000000000354512Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\Wldap32.dll10.0.14393.5192 (rs1_release.220610-1622)Win32 LDAP API DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationWLDAP32.DLLMD5=48620A4A9EE4129296C93ED63D5363B2,SHA256=1FACA8BACE6051E29DEB1BB593B7F17FDABCCFC7A0FC4562BD77AA7CFB579435,IMPHASH=D13722FCCB1CDD38974ADB7277D98799trueMicrosoft WindowsValid 734700x8000000000000000354511Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\combase.dll10.0.14393.5192 (rs1_release.220610-1622)Microsoft COM for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationCOMBASE.DLLMD5=336FBB55FF4D4E5A05343A51C98A8F74,SHA256=FD42EBCB39DD4311FA7515010FF4D08AC4DFF7D5C35FCB23207833ED4C2E8444,IMPHASH=0863DD72CA0C3702DB7ACD19A4D5DEB1trueMicrosoft WindowsValid 734700x8000000000000000354510Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\adsldpc.dll10.0.14393.0 (rs1_release.160715-1616)ADs LDAP Provider C DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationadsldpcMD5=F03FD7F523CFDBB96B0F3B8012FC161D,SHA256=8218E5AC2D7A52A2D50CD8D3CC8AA8CE4E37D1BDECFA62BC2637AA32A01CBA54,IMPHASH=AFF2E9AF6DD20912DC1E604BDBCA3761trueMicrosoft WindowsValid 734700x8000000000000000354509Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ole32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Microsoft OLE for WindowsMicrosoft® Windows® Operating SystemMicrosoft CorporationOLE32.DLLMD5=EB53D1BF6E1667C8727EBBB5D5A862ED,SHA256=2B3D48DFA43A284B1C66A8A98B0A48104133D86EEEB2E8E060BE2281CF476348,IMPHASH=9724475F92787AFC45A3BA458C0DCDC5trueMicrosoft WindowsValid 734700x8000000000000000354508Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32full.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=F284A98093B423946252259D7D2857D3,SHA256=193F70529B68EF108EA17ABC069E6DACF4541A547DF1D2F249F7555A58BCFA07,IMPHASH=059EB3BAA45E35C79FAE66F7279059EEtrueMicrosoft WindowsValid 734700x8000000000000000354507Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\win32u.dll10.0.14393.0 (rs1_release.160715-1616)Win32uMicrosoft® Windows® Operating SystemMicrosoft CorporationWin32u.DLLMD5=6A40F9C63B52CB4E8271CF3418618033,SHA256=A2BE23DA7AADFA9118130C939CD59D86E590957172FF404511EE6C5EC5147F15,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000354506Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\gdi32.dll10.0.14393.4169 (rs1_release.210107-1130)GDI Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationgdi32MD5=551D603CEC947F586DB9FADEF4D2EBA6,SHA256=143125EFF9F3BC5B3F3BE505F3C3814393807B9CACB6AA5F75D39C77EC0D4ED8,IMPHASH=A24D446CB7FCBB6D29B592603C0BE00CtrueMicrosoft WindowsValid 734700x8000000000000000354505Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\user32.dll10.0.14393.4169 (rs1_release.210107-1130)Multi-User Windows USER API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationuser32MD5=883B59C5557E8A9B3C1E1ED1CA48CD5A,SHA256=271800C20A96587265BF83DE2EFC11329EEB2B6C0D57E5E0BCD137FB96BFE6E3,IMPHASH=070F257E4632BC576557C4085595EAA4trueMicrosoft WindowsValid 734700x8000000000000000354504Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\vcruntime140.dll14.16.27012.6 built by: vcwrkspcMicrosoft® C Runtime LibraryMicrosoft® Visual Studio® 2017Microsoft Corporationvcruntime140.dllMD5=0C583614EB8FFB4C8C2D9E9880220F1D,SHA256=6CADB4FEF773C23B511ACC8B715A084815C6E41DD8C694BC70090A97B3B03FB9,IMPHASH=2CB5DA5225E972A08F32D04B8085DC7EtrueMicrosoft CorporationValid 734700x8000000000000000354503Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ws2_32.dll10.0.14393.3241 (rs1_release_inmarket.190910-1801)Windows Socket 2.0 32-Bit DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationws2_32.dllMD5=06E82905620845A7C185BDEE85CC4140,SHA256=B75C9B080293F85568912BABE749F403144959206F9C6BAB36B628E8F77C5DA0,IMPHASH=76A5AA3DF6083D853F576403C8F841A8trueMicrosoft WindowsValid 734700x8000000000000000354502Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\archive.dll-----MD5=AD564ED89D67D88709AA5980BAE20604,SHA256=0EEBE5AA750667908006742E133AE1C273D966897B95B1A0E63826450BB4780A,IMPHASH=A48DFE6DD98128BE3EB687CBF2724A44trueSplunk, Inc.Valid 734700x8000000000000000354501Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\rpcrt4.dll10.0.14393.5291 (rs1_release.220806-1444)Remote Procedure Call RuntimeMicrosoft® Windows® Operating SystemMicrosoft Corporationrpcrt4.dllMD5=F8550606B41FF309D9A1DC76BB4EE875,SHA256=A1FFDD6A2EDA9E0CF047C74B00649A2EA228E3B8BDE1761C66879FA40335C2EB,IMPHASH=C4246EC3F13C64466ED4274DBAA3B132trueMicrosoft WindowsValid 734700x8000000000000000354500Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libeay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/libeay32.dllMD5=B28B29D2F85EB8349BFB5E7214D7F4D5,SHA256=17260ACBE55D8988E598ECEFBC60140EBE057336B47D8089444588321F067280,IMPHASH=838F909F0A52D977E0B8662364FA0BFEtrueSplunk, Inc.Valid 734700x8000000000000000354499Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec-openssl.dll-----MD5=98C643DECFE1971BE3E8B076B19BFD72,SHA256=A520C20F316C902985449BC17AB5F86FCF2F41420B08C1AE08BA06E767EB49F3,IMPHASH=464BF3FDF330E6A15D24CC679EF7F72EtrueSplunk, Inc.Valid 734700x8000000000000000354498Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxmlsec.dll-----MD5=9BC99DECE580BD163AC318FCD1ACB667,SHA256=94BA08021E14476ED8EC2DC81165574B64274E20F2D8DE9CA98CD0D10CE279F7,IMPHASH=3295DC2518E43BEF226F8847873D20C2trueSplunk, Inc.Valid 734700x8000000000000000354497Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\sechost.dll10.0.14393.5006 (rs1_release.220301-1704)Host for SCM/SDDL/LSA Lookup APIsMicrosoft® Windows® Operating SystemMicrosoft Corporationsechost.dllMD5=9F0F4C38A22FC9FFB8814F77A9563680,SHA256=E9ABDA1063716301F5D06DBC94D6A35B3F53A14B946525E5F764485132DB6166,IMPHASH=D6E06125849E8565A50F366A0149FB40trueMicrosoft WindowsValid 734700x8000000000000000354496Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\ssleay32.dll1.0.2zaOpenSSL Shared LibraryThe OpenSSL ToolkitThe OpenSSL Project, http://www.openssl.org/ssleay32.dllMD5=0FE6D3D4B3F4B0F5502371832D12BB8E,SHA256=3DF79909021C72E70D2AE273587296E5E2D5F77315011B5C3115CFA359682647,IMPHASH=E09B42A7EA1725DA2CD99223AD969C63trueSplunk, Inc.Valid 734700x8000000000000000354495Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxslt.dll-----MD5=FBA0D04D5A8AEA25D86EC623A14D0056,SHA256=D64FE508393C40160D1EFB22149C69763CBAA921BD1BC74C8D4AE59A10C3B767,IMPHASH=987AB6B8B03EE421D8CC59EAFE452916trueSplunk, Inc.Valid 734700x8000000000000000354494Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\msvcrt.dll7.0.14393.2457 (rs1_release_inmarket.180822-1743)Windows NT CRT DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationmsvcrt.dllMD5=0AF8989DD67A135B536CF948E3EFB7EB,SHA256=C693DA0EF4DCF3BC244661B9FD280FE12C3053FDD7B977712C0CF210831B2EF4,IMPHASH=07D6F84E3C8FD0D2C32F9398A0369BAFtrueMicrosoft WindowsValid 734700x8000000000000000354493Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ucrtbase.dll10.0.14393.3659 (rs1_release_1.200410-1813)Microsoft® C Runtime LibraryMicrosoft® Windows® Operating SystemMicrosoft Corporationucrtbase.dllMD5=9804D130E8E7178738C2B9808091B427,SHA256=6053B7CC85846F15094475116A8C57BA89FE99FDD1978C54E8A7E2114E318FE3,IMPHASH=57ABD1FDE351971A01E912069E11B44CtrueMicrosoft WindowsValid 734700x8000000000000000354492Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\activeds.dll10.0.14393.4169 (rs1_release.210107-1130)ADs Router Layer DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationADsMD5=C62947CD1080E3B128B517AE91B22D6D,SHA256=6BB5D8967F822B5B1646DC9069212914D36C4D3D65E086AC0890B6A02112B438,IMPHASH=C7DF3F2CF025F0BEDA797705E4F4AFBBtrueMicrosoft WindowsValid 734700x8000000000000000354491Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\libxml2.dll2.9.10libxml2 librarylibxml2-libxml2.dllMD5=20596DB2126E9F188727597F0FCC7CDB,SHA256=BAD6246A2B43B07FE80643DE40B0CE49751C8E0B95B076AD94E59F16CE8D8C0C,IMPHASH=6DA659461618DB73B9BD17D114677D20trueSplunk, Inc.Valid 734700x8000000000000000354490Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\fltLib.dll10.0.14393.0 (rs1_release.160715-1616)Filter LibraryMicrosoft® Windows® Operating SystemMicrosoft CorporationfilterLib.dllMD5=051ABD8360BDA63A1BC77C662FBF0A25,SHA256=C914E2DBAEC2C9A11923A984B30A979637D3A27B3C29E93F4C90FB1D9FBC518F,IMPHASH=74D3C2DA8B6F9861866B866AE40683D3trueMicrosoft WindowsValid 734700x8000000000000000354489Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\advapi32.dll10.0.14393.4886 (rs1_release.220104-1735)Advanced Windows 32 Base APIMicrosoft® Windows® Operating SystemMicrosoft Corporationadvapi32.dllMD5=C42106182CCA611F629E46981D1A0EEA,SHA256=68C134F95A8D38AE84545C8D581F4BF808B6C9D97513EA3CABF019C66419CBAE,IMPHASH=B511E4B82A44D3731CDA46A74F5D57EAtrueMicrosoft WindowsValid 10341000x8000000000000000354488Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-4AE0-6323-3A00-000000007502}34043444C:\Windows\system32\conhost.exe{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8df|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 734700x8000000000000000354487Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\KernelBase.dll10.0.14393.5246 (rs1_release.220701-1744)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft CorporationKernelbase.dllMD5=96EFBE3DB6300BB13E0720809302FF9F,SHA256=2DE51A861E8D47D75730027E8BD70554363E10449EC258527C491EE8D4A57C2F,IMPHASH=05349EBAA635D77714868763D44881E9trueMicrosoft WindowsValid 734700x8000000000000000354486Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\kernel32.dll10.0.14393.5127 (rs1_release_inmarket.220514-1756)Windows NT BASE API Client DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationkernel32MD5=92D599E644B89C0F9E7DDB55762EBEA6,SHA256=F32D28EE73EADAF9EF3F30145FA3C52B88DF47236B8747434750832BF1B9CDEE,IMPHASH=3CE0779E0F4E275CD51A359A98CCC682trueMicrosoft WindowsValid 734700x8000000000000000354485Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Windows\System32\ntdll.dll10.0.14393.5006 (rs1_release.220301-1704)NT Layer DLLMicrosoft® Windows® Operating SystemMicrosoft Corporationntdll.dllMD5=F5EE39B17A8BCDEDC3D40997C26F62B1,SHA256=11C1C88B1CC11D9800DEEF27ED7ABDFDE3DC852687A3B9FBD5153284106E5952,IMPHASH=00000000000000000000000000000000trueMicrosoft WindowsValid 734700x8000000000000000354484Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exeC:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exeMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02DtrueSplunk, Inc.Valid 10341000x8000000000000000354483Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354482Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354481Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354480Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-4AD1-6323-0C00-000000007502}8283184C:\Windows\system32\svchost.exe{6820D070-4ADF-6323-2C00-000000007502}2712C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\System32\KERNELBASE.dll+5ea84|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7ac63|C:\Windows\System32\RPCRT4.dll+d5bc1|C:\Windows\System32\RPCRT4.dll+5342c|C:\Windows\System32\RPCRT4.dll+35824|C:\Windows\System32\RPCRT4.dll+3473d|C:\Windows\System32\RPCRT4.dll+34feb|C:\Windows\System32\RPCRT4.dll+20ddc|C:\Windows\System32\RPCRT4.dll+2125c|C:\Windows\System32\RPCRT4.dll+106bc|C:\Windows\System32\RPCRT4.dll+11f1b|C:\Windows\System32\RPCRT4.dll+1a50a|C:\Windows\SYSTEM32\ntdll.dll+1d35e|C:\Windows\SYSTEM32\ntdll.dll+1ecc9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 10341000x8000000000000000354479Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-4ACF-6323-0500-000000007502}404472C:\Windows\system32\csrss.exe{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6144|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5179f 10341000x8000000000000000354478Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.456{6820D070-4ADF-6323-3200-000000007502}29363888C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7414|C:\Windows\System32\KERNELBASE.dll+2b830|C:\Windows\System32\KERNELBASE.dll+6b316|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+e499f1|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b3255|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd30d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1b59b6|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd3c14|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bd79a|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1c0f1c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd07d2|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dd491d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+1bb965|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+dc694e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51791 154100x8000000000000000354477Microsoft-Windows-Sysmon/Operationalwin-dc-ctus-attack-range-403.attackrange.local-2022-09-15 16:18:23.457{6820D070-504F-6323-8B01-000000007502}8476C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{6820D070-4ACF-6323-E703-000000000000}0x3e70SystemMD5=679D3E04F6AB7B10FF27D06B29C27A12,SHA256=FF1B5220C99EA6173BE693E1C2D700873ADE2F8A73F503FC0D297EA0792756D1,IMPHASH=05D58741E22C6453F52C1A9326FAF02D{6820D070-4ADF-6323-3200-000000007502}2936C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service